JAAS ldap issue

IAM David Bantz dabantz at alaska.edu
Wed Jun 3 15:46:09 UTC 2020 

And to be clear, the jaas.config for this lone "ldaps" source is ldaps with
tls=false and ssl=true; did not see explicit mention of the ssl=true
component, so I've tried with ssl=false as well, receiving same logged
error on attempted connection:

DEBUG [137.229.6.122] org.ldaptive.provider.jndi.JndiConnectionFactory:105 >
Error connecting to LDAP URL: ldaps://cas-auth-t.alaska.edu:6361

org.ldaptive.provider.ConnectionException:
javax.naming.CommunicationException: cas-auth-t.alaska.edu:6361 [Root
exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]

 // UA Authenticator is proxy to AD allows some expired accounts to
authenticate

  org.ldaptive.jaas.LdapLoginModule sufficient

    ldapUrl="ldaps://cas-auth-t.alaska.edu:6361"

    baseDn="dc=ua,dc=adt,dc=alaska,dc=edu"

    bindDn="CN=...,ou=...,dc=ua,dc=adt,dc=alaska,dc=edu"

    bindCredential="•••••••••••"

    subtreeSearch="true"


sslSocketFactory="{trustCertificates=file:/opt/shibboleth-idp-D/credentials/UAADrootCAs-P-Q-D-T-InC.pem}"

    ssl="true"

    tls="false"

    userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"

    connectTimeout="3000"

    resultTimeout="3000"

    ;

On Wed, Jun 3, 2020 at 7:32 AM db at alaska.edu <dabantz at alaska.edu> wrote:

> IdP 3.4.6 java 8.5.55
>
> Trust configured in JAAS config with explicitly trusted CAs in PEM trust
> file.
>
> [Primary authN ldap servers used (7 AD DCs in 4 domains) use private CAs;
> this failover proxy is the exception using “known” CA, but I used the same
> strategy: its CA - and now server cert itself - are both in the same file
> as the private CAs.
>
> This is the only one of 11 ldap services using “ldaps” - AD DCs all use
> StartTLS; other proxies use ldap.]
>
> David.Bantz at Alaska.edu
>
>
> On Jun 3, 2020, at 04:39, Daniel Fisher:
>
>
> Do you want to configure trust as part of the JAAS config or are you
> attempting to use the default JVM trust? Also, just to confirm, we're
> talking about IDPv3?
>
> --Daniel Fisher
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200603/1006a0ac/attachment.htm>

More information about the users mailing list