By: Daniel Steiner user 04 Dec 2019 at 7:04 a.m. CST

2 Responses
Daniel Steiner gravatar
## Authentication Management I have following environment: - DS 389 directory server on CentOS 8.0, only TLS 1.2 or 1.3 are allowed - Gluu server 4.0 on Cent0S 7.7 I think, this is a problem is related to the openjdk version you deliver with Gluu server. ### Setup I followed the setup instructions: 1. Setup cache-refresh (which is working fine) 2. LDAP directory server configured as source LDAP server for authentication (using SSL) 3. Default acr: directory LDAP server (using SSL) 4. oxTrust acr: directory LDAP server (using SSL) 5. LDAP server has a valid wildcard certificate enable (Entrust). The java keystore owns the depend CA per default ## Workaround Configure source LDAP server without SSL. ## Logs - LDAP server log (only relevant part): ``` [04/Dec/2019:07:32:08.887004358 +0000] conn=120 op=-1 fd=65 closed - SSL peer had some unspecified issue with the certificate it received. [04/Dec/2019:07:32:08.896911103 +0000] conn=121 fd=65 slot=65 SSL connection from x.x.x.83 to x.x.x.84 [04/Dec/2019:07:32:08.897859410 +0000] conn=121 op=-1 fd=65 closed - Peer using unsupported version of security protocol. [04/Dec/2019:07:32:08.899690296 +0000] conn=122 fd=65 slot=65 SSL connection from x.x.x.83 to x.x.x.84 ``` - oxtrust.log: ``` 2019-12-04 05:52:34,068 INFO [ForkJoinPool.commonPool-worker-0] [org.gluu.oxauth.service.AppInitializer] ( - Recreated instance persistenceAuthEntryManager: [org.gluu.persist.ldap.impl.LdapEntryManager@b8772f5] 2019-12-04 05:53:16,426 ERROR [qtp105704967-15] [org.gluu.oxauth.service.AuthenticationService] ( - Failed to find entries with baseDN: ou=people,dc=domain,dc=org, filter: (&(&(objectClass=top))(&(uid=dst))) org.gluu.persist.exception.EntryPersistenceException: Failed to find entries with baseDN: ou=people,dc=threema,dc=ch, filter: (&(&(objectClass=top))(&(uid=dst))) at org.gluu.persist.ldap.impl.LdapEntryManager.findEntries( ~[oxcore-persistence-ldap-4.0.Final.jar:?] at org.gluu.persist.impl.BaseEntryManager.findEntries( ~[oxcore-persistence-core-4.0.Final.jar:?] at org.gluu.persist.impl.BaseEntryManager.findEntries( ~[oxcore-persistence-core-4.0.Final.jar:?] ... ``` - oxtrust_script.log: ``` 2019-12-04 05:29:47,917 ERROR [qtp105704967-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] ( - Failed to authenticate DN: inum=0000!4B16.84CF,ou=people,o=gluu org.gluu.persist.exception.AuthenticationException: Failed to authenticate DN: inum=0000!4B16.84CF,ou=people,o=gluu at org.gluu.persist.ldap.impl.LdapEntryManager.authenticate( ~[oxcore-persistence-ldap-4.0.Final.jar:?] ``` ## How-to reproduce Just enable SSL for the authentication. I also tried the ldapsearch opendj client in the Gluu server container: ``` /opt/opendj/bin/ldapsearch -v -Z -h -p 636 -D 'uid=srv_gluu,ou=ou,dc=domain,dc=org' -b 'ou=people,dc=domain,dc=org' -w 'password' '(uid=*)' ``` The same without SSL works fine! This does not give any result (it just hangs).

By Aliaksandr Samuseu staff 04 Dec 2019 at 9:04 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Daniel. Most likely your certificate isn't trusted by oxAuth. To quickly confirm it's the cause, edit `/etc/gluu/conf/` file by commenting next lines out, as shown below: ``` #ssl.trustStoreFile: /etc/certs/opendj.pkcs12 #ssl.trustStorePin: QoOtWnoHZdbAqfnYOV78LA== #ssl.trustStoreFormat: pkcs12 ``` Then restart "oxauth" service. That will disable certificate verification. As a more secure solution, consider adding your LDAP server's certificate (the server itself, not root CA's) to `/etc/certs/opendj.pkcs12` truststore.

By Daniel Steiner user 04 Dec 2019 at 11:40 p.m. CST

Daniel Steiner gravatar
Hi Aliaksandr, Yes, disabling the SSL verification solves the problem. But the config file is not `/etc/gluu/conf/`, it's `/etc/gluu/conf/`. This probably changed from version 3.x. The approach with adding the LDAP server server certificat does not work in my case, we are using a wildcard domain certificate. I had similar problems with this wildcard certificate. Thank you for the fast response