Re: JNDI ldaps Problem with SSO

Thu, 20 May 2021 09:37:36 -0700 

Susan,

On 5/18/21 16:58, susan.w...@swisscom.com wrote:

When we are using plain ldap 3268, all works fine with those settings:


Good:
<Realm className="org.apache.catalina.realm.JNDIRealm"
                      connectionURL="ldap://xxxxx.xxxx.com:3268";
                      userBase="DC=XXXINTRA,DC=CH"
                      userSubtree="true"
                      userSearch="(sAMAccountName={0})"
                      userRoleName="memberOf"
                      roleBase="OU=PF00_App- 
Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
  RA,DC=ch "
                      roleName="CN"
                      roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
                      roleSubtree="true"
                      roleNested="true" />


Its when we want to use ldaps with 3269 its failing:
bad:

               <Realm className="org.apache.catalina.realm.JNDIRealm"
                      connectionURL="ldaps://xxxxx.xxxx.com:3269"
                      userBase="DC=XXXINTRA,DC=CH"
                      userSubtree="true"
                      userSearch="(sAMAccountName={0})"
                      userRoleName="memberOf"
                      roleBase="OU=PF00_App- 
Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch"
                     roleName="CN"
                      roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
                      roleSubtree="true"
                      roleNested="true" />


ldapsearch on port 3269 (ldaps) works fine from the same machine, but yes, it's 
not exactly the same request


TEST ~]# ldapsearch -x -D 
"cn=SA-PF00-Appway,OU=PF00_Appway-CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc=bcintra,dc=ch"
 -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=bcintra,DC=ch> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# Organization, Schema, Configuration, bcintra.ch



We think, ssl-handshake is fine but bind is failing. Why?
What is the error you actually get? Can you pleae post the full stack trace and not just the message? 

-chris



-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Dienstag, 18. Mai 2021 18:02
To: users@tomcat.apache.org
Subject: Re: JNDI ldaps Problem with SSO

Susan,

On 5/18/21 09:43, susan.w...@swisscom.com wrote:

Hi all

apache-tomcat-8.0.36

java version "1.8.0_281"
Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java HotSpot(TM)
64-Bit Server VM (build 25.281-b09, mixed mode)

We are having a problem with our Single sign On config.
When using ldap - all works well.

When switiching to ldaps , the User loses to connection all together
(Server not reachable)



server.xml

Good:
              <Realm className="org.apache.catalina.realm.JNDIRealm"
                     connectionURL="ldap://xxxxx.xxxx.com:3268";
                     userBase="DC=XXXINTRA,DC=CH"
                     userSubtree="true"
                     userSearch="(sAMAccountName={0})"
                     userRoleName="memberOf"
                     roleBase="OU=PF00_App-

Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch "

                     roleName="CN"
                     roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
                     roleSubtree="true"
                     roleNested="true" />

bad:

              <Realm className="org.apache.catalina.realm.JNDIRealm"
                     connectionURL="ldaps://xxxxx.xxxx.com:3269"
                     userBase="DC=XXXINTRA,DC=CH"
                     userSubtree="true"
                     userSearch="(sAMAccountName={0})"
                     userRoleName="memberOf"
                     roleBase="OU=PF00_App-

Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
RA,DC=ch"

                     roleName="CN"
                     roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
                     roleSubtree="true"
                     roleNested="true" />


Connectivity to the DC is fine (ldapsearch with ldaps works),  SSL

connection itself seems to be fine, Certificates are fine, we are sending the
trustore as well. All is in the relevant cacerts too.

We have a https Server in Front and a proxy Setting to the tomcat.

/usr/java/latest/bin/java
-Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/loggi
ng.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
-Djavax.net.ssl.trustStorePassword=xxxxxx
-Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
-Dnm.data.home=/opt/tomcat/data
-Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
-Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
-Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
-classpath
/opt/tomcat/apache-tomcat-

8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-

tomcat-8.0.36/bin/tomcat-juli.jar
-Dcatalina.base=/opt/tomcat/tomcat8_appway1
-Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
-Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
org.apache.catalina.startup.Bootstrap start



Domain controller seems to close the connection. The Error is "The

Parameter is incorrect", "The System cannot find the path specified." Its
seems to happen, during the bind process, as if the DC can not decrypt our
tomcat request:


First two events are happening several times. After the last anonymous

bind is entered, the bind exited is done with the appway service account user.
Right after that the error appears.

Internal event: Function ldap_bind entered.
         SID: S-1-5-7
         Source IP: 11.1xx.xxx.xxx:51240
         Operation identifier: 894498
         Data1:
         Data2: 1004335171
         Data3:
         Data4:
Internal event: Function ldap_bind exited.
         Elapsed time (ms): 0
         SID: S-1-5-7
         Source IP: 11.1xx.xxx.xxx::51240
         Operation identifier: 894498
         Data1:
         Data2: 1004335171
         Data3: 1004335171
Internal event: Function ldap_bind entered.
         SID: S-1-5-7
         Source IP: 11.1xx.xxx.xxx::51240
         Operation identifier: 894498
         Data1:
         Data2: 1004335203
         Data3:
         Data4:

Internal event: Function ldap_bind exited.
         Elapsed time (ms): 0
         SID: S-1-5-21-576815021-3137181063-3029416097-6939
         Source IP: 11.1xx.xxx.xxx::51240
         Operation identifier: 894498
         Data1:
         Data2: 1004335203
         Data3: 1004335203


Then we see the same error events like we saw before already with the
normal log level Internal event: The LDAP server returned an error.

Additional Data
Error value:
00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap
message, data 0, v2580

Internal event: An LDAP client connection was closed because of an error.

Client IP:
11.1xx.xxx.xxx::51240

Additional Data
Error value:
87 The parameter is incorrect.
Internal ID:
c0c0095






In the App Log of the tomcat we see:

/opt/tomcat/tomcat8_appway1/logs


localhost.2021-03-22.log


22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]

org.apache.catalina.core.ApplicationContext.log  [CompressingFilter/1.7.1]
CompressingFilter is being destroyed...

22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log No Spring
WebApplicationInitializer types detected on classpath
22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log
[CompressingFilter/1.7.1] CompressingFilter has initialized
22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using
policy access restrictor classpath:/jolokia-access.xml
22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
org.apache.catalina.realm.JNDIRealm.authenticate Exception performing
authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:

DSID-0C0907E9, comment: In order to perform this operation a successful
bind must be completed on the connection., data 0, v2580^@]; remaining
name 'DC=BCINTRA,DC=CH'



22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing
authentication
javax.naming.NamingException: LDAP connection has been closed;

remaining name 'DC=BCINTRA,DC=CH'





What are we missing?


Because your AD server sees the connection, it's probably not a TLS
handshake failure, but I was wondering if it was a TLS handshake failure.
Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but I think that
was done at 1.8 patch 291 and you are on patch 281

Maybe you should be using port 3269 instead of 3268? Looks like 3269 is for
TLS and 3268 is for plaintext.


You say that ldapsearch works. Can you post that command-line?

-chris
B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKCB•È[œÝXœØÜšX™KK[XZ[

ˆ\Ù\œË][œÝXœØÜšX™PÛXØ]
˜\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[

ˆ\Ù\œËZ[ÛXØ]
˜\XÚK›Ü™ÃBƒ


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to