JAAS ldap issue
IAM David Bantz
dabantz at alaska.edu
Wed Jun 3 01:34:22 UTC 2020
Yes 6361 is using "ldaps"; it is NOT using (is not configured for
StartTLS).
ldaps://cas-auth-t.alaska.edu:6361 establishes secure connection in legacy
CAS server and in Apache DIrectory Studio.
Both of the openssl commands return the same server cert (which is in the
IdP trusted store) and report establishing a valid TLS1.2 encrypted
connection;
openssl s_client -showcerts -connect cas-auth-t.alaska.edu:6361
CONNECTED(00000003)
depth=0 C = US, postalCode = 99775, ST = Alaska, L = Fairbanks, street =
910 Yukon Drive, O = University of Alaska System, OU = UAS, CN =
cas-auth-t.alaska.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 99775, ST = Alaska, L = Fairbanks, street =
910 Yukon Drive, O = University of Alaska System, OU = UAS, CN =
cas-auth-t.alaska.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server
CA
-----BEGIN CERTIFICATE-----
•••
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA
Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2454 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
B66CC36AB9D0BEE20C8BBC39DD5CD2415CF945D9A9C985F3A22DD976BF7FACDE
Session-ID-ctx:
Master-Key:
47BE18926CB47F42E42510B90A08EEAD5B7004312ACA9060AD82F1447D698267F650BD5E2529CF81A584817375F3CEB2
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
•••
Start Time: 1591147289
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0
openssl s_client -showcerts -connect cas-auth-t.alaska.edu:6361 -CAfile
/opt/shibboleth-idp-D/credentials/UAADrootCAs-P-Q-D-T-InC.pem
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN =
InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 99775, ST = Alaska, L = Fairbanks, street =
910 Yukon Drive, O = University of Alaska System, OU = UAS, CN =
cas-auth-t.alaska.edu
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server
CA
-----BEGIN CERTIFICATE-----
••••
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA
Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2454 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
37F7114BA64FE4A2117DEE1E684D1735C11B49F6A9EDE654A7449438E3F6D3DB
Session-ID-ctx:
Master-Key:
2B5A57D5CF9222EE0EEB349E25F8FF86A53A8DBD7EF36BFD5EA5592050CE5F01DB4AABC4B263D9EF553A185D36A8657E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
••••
Start Time: 1591147790
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0
On Tue, Jun 2, 2020 at 4:54 PM Michael A Grady <mgrady at unicon.net> wrote:
> Well, is port 6361 an SSL/TLS port or not? I'd a gree, if you say SSL is
> true, that should be ldaps, not just ldap, and you need to be sure that iis
> presenting an appropriate set of certs (LDAP server cert and any needed
> intermediates) that are needed. But if it isn;'t actually an SSL/TLS port,
> and isn't actually presenting a set of certs, then I would expect that
> refusal of connection.
>
> Do an:
>
> openssl s_client -showcerts -connect cas-auth-t.alaska.edu:6361
>
> and see waht you get back. And if that returns certs, then wherever you
> think you have the accepted Root certs, you could do that same command but
> add:
>
> openssl s_client -showcerts -connect cas-auth-t.alaska.edu:6361 -CAfile
> /path/to/Root/certfile
>
> and see if you get a verfiy at the end of it.
>
> I haven't worked on JAAS config like that in a long time, so nothing else
> off the top of my head. Is this "new JAAS config", or was this exact same
> JAAS config working before in the IdP? I'd have to do some researech on the
> first error and JAAS/ldaptive before I could help more, and I'm not going
> to take the time to do that until you have a chance to respond on the above.
>
> On Jun 2, 2020, at 7:35 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
>
> I'm using JAAS to take advantage of the "sufficient" logic to fail over to
> a proxy to allow expired accounts to authenticate.
>
> Using this configuration in JAAS.config for the proxy connection
>
>> // UA Authenticator is proxy to AD allows some expired accounts to
>> authenticate
>> org.ldaptive.jaas.LdapLoginModule sufficient
>> ldapUrl="ldap://cas-auth-t.alaska.edu:6361"
>> baseDn="dc=ur,dc=addev,dc=alaska,dc=edu"
>> bindDn="CN=•••••,ou=...,dc=ua,dc=adt,dc=alaska,dc=edu"
>> bindCredential="••••••••••"
>> subtreeSearch="true"
>> sslSocketFactory="{trustCertificates=file:/.../•••.pem}"
>> ssl="true"
>> tls="false"
>> userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"
>> connectTimeout="3000"
>> resultTimeout="3000"
>> ;
>>
>
> I see the following error when attempting to use this fail-over:
>
>> * DEBUG [10.25.250.26]
>> org.ldaptive.provider.jndi.NamingExceptionUtils:358 > naming exception
>> class javax.naming.ServiceUnavailableException is ambiguous, maps to
>> multiple result codes: [BUSY, UNAVAILABLE]*
>
> (Larger log snippet surrounding this error is below)
>
> Folks here quickly say "that should be ldaps:// not ldap://" but the
> examples in Shib wiki use ldap:// with ssl="true"; if I do use ldaps:// in
> the configuration above, the connection is refused outright:
>
> DEBUG [137.229.6.124]
>> org.ldaptive.provider.jndi.JndiConnectionFactory:105 > Error connecting
>> to LDAP URL: ldaps://cas-auth-t.alaska.edu:6361
>> org.ldaptive.provider.ConnectionException:
>> javax.naming.CommunicationException: cas-auth-t.alaska.edu:6361 [Root
>> exception is javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderExceptio
>> n: unable to find valid certification path to requested target]
>>
>
> Any pointers, hints, interpretation appreciated!
>
> David Bantz
>
> ----
>
> Here's the larger snippet:
> 14:05:42:455 DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:104 >
> Retrieved authenticator from factory:
> [org.ldaptive.auth.Authenticator at 1889354517
> ::dnResolver=[org.ldaptive.auth.SearchDnResolver at 849231888
> ::factory=[org.ldaptive.DefaultConnectionFactory at 1944062102
> ::provider=org.ldaptive.provider.jndi.JndiProvider at 2b1f07a,
> config=[org.ldaptive.ConnectionConfig at 414093010::ldapUrl=ldap://
> cas-auth-t.alaska.edu:6361, connectTimeout=3000, responseTimeout=-1,
> sslConfig=null, useSSL=false, useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1483789079::bindDn=CN=cas
> c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
> bindSaslConfig=null, bindControls=null]]],
> baseDn=dc=ur,dc=addev,dc=alaska,dc=edu,
> userFilter=(|(sAMAccountName={user})(uaIdentifier={user})),
> userFilterParameters=null, allowMultipleDns=false, subtreeSearch=true,
> derefAliases=null, followReferrals=false],
> authenticationHandler=[org.ldaptive.auth.BindAuthenticationHandler at 724026423
> ::factory=[org.ldaptive.DefaultConnectionFactory at 639157001
> ::provider=org.ldaptive.provider.jndi.JndiProvider at 4aac1106,
> config=[org.ldaptive.ConnectionConfig at 345672495::ldapUrl=ldap://
> cas-auth-t.alaska.edu:6361, connectTimeout=3000, responseTimeout=-1,
> sslConfig=null, useSSL=false, useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer at 17429495::bindDn=CN=cas
> c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
> bindSaslConfig=null, bindControls=null]]], saslConfig=null, controls=null],
> entryResolver=null, authenticationResponseHandlers=null]
>
> 14:05:42:455 DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:108 >
> Retrieved authentication request from factory:
> [org.ldaptive.auth.AuthenticationRequest at 1634297940::user=null,
> retAttrs=[1.1], controls=null]
>
> 14:05:42:458 DEBUG [10.25.250.26] org.ldaptive.BindOperation:138 >
> execute request=[org.ldaptive.BindRequest at 1273459038::bindDn=CN=cas c.
> casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
> saslConfig=null, controls=null] with
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 199510270
> ::config=[org.ldaptive.ConnectionConfig at 414093010::ldapUrl=ldap://
> cas-auth-t.alaska.edu:6361, connectTimeout=3000, responseTimeout=-1,
> sslConfig=null, useSSL=false, useStartTLS=false,
> connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1483789079::bindDn=CN=cas
> c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
> bindSaslConfig=null, bindControls=null]],
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1169982526
> ::metadata=[ldapUrl=ldap://cas-auth-t.alaska.edu:6361, count=1],
> environment={com.sun.jndi.ldap.connect.timeout=3000,
> java.naming.ldap.version=3,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory},
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1866297109::operationExceptionResultCodes=[PROTOCOL_ERROR,
> SERVER_DOWN], properties={},
> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2f383546,
> controlProcessor=org.ldaptive.provider.ControlProcessor at 1f209e2d,
> environment=null, tracePackets=null, removeDnUrls=true,
> searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
> PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
> providerConnection=org.ldaptive.provider.jndi.JndiConnection at 362a968f]
>
> 14:05:42:462 DEBUG [10.25.250.26]
> org.ldaptive.provider.jndi.NamingExceptionUtils:358 > naming exception
> class javax.naming.ServiceUnavailableException is ambiguous, maps to
> multiple result codes: [BUSY, UNAVAILABLE]
>
> 14:05:42:462 DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:178 >
> Error occurred attempting authentication
> org.ldaptive.OperationException: javax.naming.ServiceUnavailableException:
> cas-auth-t.alaska.edu:6361; socket closed
> at
> org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)
> Caused by: javax.naming.ServiceUnavailableException:
> cas-auth-t.alaska.edu:6361; socket closed
> at com.sun.jndi.ldap.Connection.readReply(Connection.java:454)
>
>
> ------------------------------
>
> This email has been scanned for spam and viruses by Proofpoint Essentials.
> Click here
> <https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1591144600-3AcyHyG9DPZW&r_address=mgrady%40unicon.net&report=1>
> to report this email as spam.
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
> --
> Michael A. Grady
> IAM Architect, Unicon, Inc.
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200602/3585228b/attachment.htm>
More information about the users
mailing list