LDAP authentication - SSL Certificate

By: Julien Bastin user 06 Feb 2020 at 7:54 a.m. CST

4 Responses
Julien Bastin gravatar
Hello everyone, I'm a student in Belgium and I'm intern in a company, and I have to make a SSO. So for now, I configured an Active Directory server and a Gluu server, I can authenticate on Gluu server with Active Directory's credentials but with commenting the 3 lines about SSL in the file ** /etc/gluu/conf/gluu-ldap.properties**. My question is how I have to do to use a SSL certificate ? Must I to import the server's certificate (Active Directory) into Gluu server ? But how to do ? Because I can copy a file into a chroot. Maybe I don't understand something. Thank you in advance.
Gluu 4.0 Ubuntu 18.04
closed

Answers

By Julien Bastin user 06 Feb 2020 at 10:15 a.m. CST

Copy
Julien Bastin gravatar
Here is a draw
Video or screenshot link

By Michael Schwartz Account Admin 06 Feb 2020 at 8:19 p.m. CST

Copy
Michael Schwartz gravatar
Cache Refresh uses trustall by default, so you shouldn't have to import the AD public cert into the Gluu Server java trust store. I'm not sure which three lines you commented out in gluu-ldap.properties.

By Julien Bastin user 06 Feb 2020 at 11:44 p.m. CST

Copy
Julien Bastin gravatar
These lines are commented : ``` #ssl.trustStoreFile: /etc/certs/opendj.pkcs12 #ssl.trustStorePin: QoOtWnoHZdbAqfnYOV78LA== #ssl.trustStoreFormat: pkcs12 ``` If I don't comment these lines I can't login with Active Directory credentials.

By Sven Jörns user 27 Mar 2020 at 9:51 a.m. CDT

Copy
Sven Jörns gravatar
I have the same problem. It also doesn't matter if I leave the three lines commented or not. Cache Refresh works unencrypted, but not via SSL. The main problem is that this month (March 2020) Microsoft is distributing an update for the server operating systems that will prevent unencrypted connections to Active Directory. This in turn has actually motivated me to use Gluu. Various dependent Linux services would not be affected by such a change from Microsoft in the future. Unfortunately the log file oxtrust_persistence.log is not very meaningful for me, what is going wrong here. ``` 2020-03-27 14:43:14,356 INFO [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:234) - Attempting to create connection pool: 1 2020-03-27 14:43:19,361 INFO [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:234) - Attempting to create connection pool: 2 2020-03-27 14:43:24,368 INFO [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:234) - Attempting to create connection pool: 3 2020-03-27 14:43:29,379 INFO [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:234) - Attempting to create connection pool: 4 2020-03-27 14:43:34,385 INFO [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:234) - Attempting to create connection pool: 5 2020-03-27 14:43:39,391 INFO [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:234) - Attempting to create connection pool: 6 2020-03-27 14:43:44,396 ERROR [qtp665576141-15] [gluu.persist.ldap.operation.impl.LdapConnectionProvider] (LdapConnectionProvider.java:83) - Failed to create connection pool with properties: {bindDN=CN=DMZ User,CN=Users,DC=COMPANY,DC=local, useSSL=true, bindPassword=REDACTED, servers=172.16.1.1:636} com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server 172.16.1.1:636: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /172.16.1.1:636: SocketException(Connection reset), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')) at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:875) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:764) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:714) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:538) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:307) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:662) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1283) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1256) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1197) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:1050) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:974) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:904) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionPool.<init>(LDAPConnectionPool.java:799) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolImpl(LdapConnectionProvider.java:268) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.createConnectionPoolWithWaitImpl(LdapConnectionProvider.java:238) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.init(LdapConnectionProvider.java:155) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.create(LdapConnectionProvider.java:75) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.persist.ldap.operation.impl.LdapConnectionProvider.<init>(LdapConnectionProvider.java:70) ~[oxcore-persistence-ldap-4.1.0.Final.jar:?] at org.gluu.oxtrust.action.ConfigureCacheRefreshAction.testLdapConnection(ConfigureCacheRefreshAction.java:717) ~[classes/:?] at org.gluu.oxtrust.action.ConfigureCacheRefreshAction$Proxy$_$$_WeldSubclass.testLdapConnection$$super(Unknown Source) ~[classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_222] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_222] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.gluu.service.security.SecurityInterceptor.invoke(SecurityInterceptor.java:55) ~[oxcore-service-4.1.0.Final.jar:?] at sun.reflect.GeneratedMethodAccessor179.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:73) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeAroundInvoke(InterceptorMethodHandler.java:84) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeInterception(InterceptorMethodHandler.java:72) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(InterceptorMethodHandler.java:56) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68) ~[weld-core-impl-3.1.2.Final.jar:3.1.2.Final] at org.gluu.oxtrust.action.ConfigureCacheRefreshAction$Proxy$_$$_WeldSubclass.testLdapConnection(Unknown Source) ~[classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_222] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_222] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_222] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_222] at org.apache.el.parser.AstValue.invoke(AstValue.java:247) ~[org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) ~[org.mortbay.jasper.apache-el-8.5.40.jar:8.5.40] at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) ~[weld-web-3.1.2.Final.jar:3.1.2.Final] at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) ~[weld-web-3.1.2.Final.jar:3.1.2.Final] at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) ~[javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.facelets.el.ContextualCompositeMethodExpression.invoke(ContextualCompositeMethodExpression.java:194) ~[javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) ~[javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ~[javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UICommand.broadcast(UICommand.java:315) ~[javax.faces-2.2.16.jar:2.2.16] at org.richfaces.component.RowKeyContextEventWrapper.broadcast(RowKeyContextEventWrapper.java:104) ~[richfaces-a4j-4.5.17-gluu.Final.jar:4.5.17-gluu.Final] at org.richfaces.component.UIDataAdaptor.broadcast(UIDataAdaptor.java:456) ~[richfaces-a4j-4.5.17-gluu.Final.jar:4.5.17-gluu.Final] at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) ~[javax.faces-2.2.16.jar:2.2.16] at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) ~[javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) ~[javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) ~[javax.faces-2.2.16.jar:2.2.16] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) ~[javax.faces-2.2.16.jar:2.2.16] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658) ~[javax.faces-2.2.16.jar:2.2.16] at org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1386) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:226) ~[websocket-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590) ~[jetty-security-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383) ~[jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547) [jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375) [jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.26.v20200117.jar:9.4.26.v20200117] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222] Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /172.16.1.1:636: SocketException(Connection reset), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb') at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:865) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] ... 90 more Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server /172.16.1.1:636: SocketException(Connection reset), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:269) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:166) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:865) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] ... 90 more Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:210) ~[?:1.8.0_222] at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[?:1.8.0_222] at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[?:1.8.0_222] at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[?:1.8.0_222] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975) ~[?:1.8.0_222] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:1.8.0_222] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:1.8.0_222] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:1.8.0_222] at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:897) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:156) ~[unboundid-ldapsdk-4.0.14.jar:4.0.14] ```

Post an answer