dear Diego, I would also like to give you the result of the actions you
recommend + the Google Workspace logs:
Stunnel
in the stunnel.conf file I entered the following configuration:
[ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = C:\tmp\cert\Google_2025_05_24_39655.crt
key = C:\tmp\cert\Google_2025_05_24_39655.key
and these are the logs:
2022.06.03 15:39:56 LOG5[main]: Reading configuration from file C:\Program
Files (x86)\stunnel\config\stunnel.conf
2022.06.03 15:39:56 LOG5[main]: UTF-8 byte order mark detected
2022.06.03 15:39:56 LOG5[main]: FIPS mode disabled
2022.06.03 15:39:56 LOG4[main]: Service [ldap] needs authentication to prevent
MITM attacks
2022.06.03 15:39:57 LOG5[main]: Configuration successful
it seems to me that it is ok
JXplorer
In Security \ Client Certificates \ add Certificate \ I gave the Google
Workspace certificate file and a name and then the default password which is
"passphrase"
Then I selected the imported certificate and clicked on Set Private Key \ and I
gave the Google Worksapce key file and then the default password which is
"passphrase"
I clicked on the "Connect to DSA" button
I set up the fields as follows:
host: ldap.google.com
port: 636
Protocol: LDAP v3
Base DN: ou = Users, dc = school name, dc = edu, dc = it
Level: SSL + User + Password
User DN: username of credentials generated with LDAP clients in Google Worksapce
Password: password of the credentials generated with the LDAP client in Google
Worksapce.
I get the following error:
Error opening connection:
ldap.google.com:636
error details
javax.naming.CommunicationException: ldap.google.com:636 [Root exception is
java.net.ConnectException: Connection timed out: connect]
at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown
Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown
Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.ca.commons.jndi.JNDIOps.openContext(JNDIOps.java:529)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:123)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:59)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:41)
at
com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:477)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396)
at
com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913)
at
com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown
Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown
Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.<init>(Unknown Source)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown
Source)
at
com.ca.commons.security.JXSSLSocketFactory.createSocket(JXSSLSocketFactory.java:517)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
... 26 more
Google Workspace logs \ reporting \ audit and investigation \ LDAP log events
PREMISE: pippo.franco@school name.edu.it is the user of the directory with
which I am trying to log in to the captive portal on a device connected to the
inline wifi network.
BlankDogue is the username of the credentials generated with the ldap client
2022-06-03T17:11:19+02:00 Association failed LDAP bind with
uid=pippo.franco,ou=Users,dc=school name,dc=edu,dc=it failed with
INVALID_CREDENTIALS. 3 PF
ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com
3 0
0
53729df6-6fe4-44a2-a4f9-10a4fc28e94e
uid=pippo.franco,ou=Users,dc=school name,dc=edu,dc=it
INVALID_CREDENTIALS
2022-06-03T17:11:18+02:00 Successful search LDAP search with
(uid=pippo.franco) successful. 2 PF
ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com
ou=Users,dc=school name,dc=edu,dc=it
false 0 0 (uid=pippo.franco)
WHOLE_SUBTREE 53729df6-6fe4-44a2-a4f9-10a4fc28e94e
DEREF_FINDING_BASE_OBJ SUCCESS dn
2022-06-03T17:11:18+02:00 Successful association LDAP bind with
BlankDogue successful. 1 PF
ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com
3 0
0
53729df6-6fe4-44a2-a4f9-10a4fc28e94e BlankDogue
SUCCESS
2022-06-03T17:11:18+02:00 Successful association LDAP bind with ""
successful. 0 PF
ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com
3
0 0
53729df6-6fe4-44a2-a4f9-10a4fc28e94e
SUCCESS
Thanks
Da: leonardo.izzo--- via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Inviato: venerdì 3 giugno 2022 12:22
A: 'Diego Garcia del Rio' <garc...@gmail.com>;
packetfence-users@lists.sourceforge.net
Cc: leonardo.i...@itsinformatica.it
Oggetto: [PacketFence-users] R: Setting up a local source with Google Workspace
Hello Diego, in the meantime, thanks for the reply.
In the 'Username Attribute' field, I entered 'uid' and in BaseDN I entered ou =
Users, dc = myschool, dc = edu, dc = it as you suggested.
By clicking on the 'Test' button you get the result positive, so the indicated
parameters are probably correct.
On my pf server configured in inline mode, I created a connection profile
having as source the local source configured with Google Workspace tested
correctly.
In the captive portal that appears on the client side in the wifi on the inline
network, I enter the credentials of a Google Workspace user, but unfortunately
the error "Invalid login or password" comes out despite these credentials are
correct (id: usern...@schoolname.edu <mailto:usern...@schoolname.edu> . It and
password).
How come? A thousand thanks
Da: Diego Garcia del Rio <garc...@gmail.com <mailto:garc...@gmail.com> >
Inviato: giovedì 2 giugno 2022 10:48
A: packetfence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> >
Cc: leonardo.i...@itsinformatica.it <mailto:leonardo.i...@itsinformatica.it>
Oggetto: Re: [PacketFence-users] Setting up a local source with Google Workspace
most of the defaults should work. For the username Attribute, 'uid' should work.
when you click on the "test" button for the bindDn and password, does it work?
make sure the ldap service is enabled as well (not just the credentials
generated). Its quite annoying as its not readily evident you havent enabled
the service
Also, using "stunnel" (for certificate-based SSL tunneling to google) and an
ldap browser such as "jExplorer" you can test and see if you can browse the
ldap tree, make sure the credentials are ok, etc..
The bindDN is "just" the username, like "jdoe"
but the BaseDN needs to have the prefix "ou=Users" such as the following:
ou=Users,dc=myschool,dc=edu,dc=ar
cheers!
On Sun, May 29, 2022 at 1:43 PM leonardo.izzo--- via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> > wrote:
Hello everyone, I have some doubts regarding some fields of the source in
question.
In 'Bind DN' and 'Password' I have to enter the credentials generated by the
Google Workspace console -> Authentication section -> "Generate new
credentials". Quite right?
In the 'Base DN' field I have entered the customer's domain in DN format, i.e.
the domain is schoolname.edu.it <http://schoolname.edu.it> so in this field I
have entered the string: dc = schoolname, dc = edu, dc = it. Quite right?
'Host' = ldap.google.com <http://ldap.google.com> on SSL port 636
'SSL Verify Mode' = none
'Dead duration' = 60
'Connection timeout' = 1
'Request timeout' = 5
'Response timeout' = 10
'Scope' = Subtree
'Search Attributes' = null
'Append search attributes' = null
'Email Attribute' = mail
'Cache match' = off
'Monitor' = on
'Shuffle' = off
'Associated Realms' = nothing
Also I wanted to know what to put in the 'Username Attribute' field.
Thanks
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
