By: Dan Parson user 07 Mar 2020 at 9:10 p.m. CST

3 Responses
Dan Parson gravatar
Hello, I'm new to Gluu.I'm trying to configure Gluu's Cache Refresh service to pull profiles from openldap server with LDAPS over TLS. Looking over results, Does Gluu support StartTLS with OpenDJ? Password in the oxtrust_persistence.log contains the correct password. Is there a backend option or setting I'm missing? Actual Results: ``` Mar 7 21:53:45 ldap slapd[1072]: conn=1108 fd=28 ACCEPT from IP=192.168.0.150:50682 (IP=0.0.0.0:389) Mar 7 21:53:45 ldap slapd[1072]: conn=1108 op=0 BIND dn="" method=128 Mar 7 21:53:45 ldap slapd[1072]: conn=1108 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed Mar 7 21:53:45 ldap slapd[1072]: conn=1108 fd=28 closed (connection lost) ``` Expected Results: ``` Feb 10 14:19:28 Mail slapd[32063]: conn=7273 fd=17 ACCEPT from IP=192.168.1.131:51512 (IP=0.0.0.0:636) Feb 10 14:19:29 Mail slapd[32063]: conn=7273 fd=17 TLS established tls_ssf=256 ssf=256 Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=0 BIND dn="cn=vmail,dc=tazserver,dc=xyz" method=128 Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=0 BIND dn="cn=vmail,dc=tazserver,dc=xyz" mech=SIMPLE ssf=0 Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=0 RESULT tag=97 err=0 text= Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=1 SRCH base="o=domains,dc=tazserver,dc=xyz" scope=0 deref=0 filter="(objectClass=top)" Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=1 SRCH attr=objectClass Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 10 14:19:29 Mail slapd[32063]: conn=7273 op=2 UNBIND Feb 10 14:19:29 Mail slapd[32063]: conn=7273 fd=17 closed ``` ``` identity/logs/oxtrust_persistence.log:2020-03-07 22:01:14,287 DEBUG [qtp353842779-16] [org.gluu.persist.impl.BaseEntryManager] (BaseEntryManager.java:1206) - Property: cacheRefresh, LdapProperty: oxTrustConfCacheRefresh, PropertyValue: [{"sourceConfigs":[{"configId":"LDAP Failover","bindDN":"cn=vmail,dc=tazserver,dc=xyz","bindPassword":"****************","servers":["ldap.tazserver.xyz:389"],"maxConnections":1,"useSSL":false,"baseDNs":["o=domains,dc=tazserver,dc=xyz"],"primaryKey":null,"localPrimaryKey":null,"useAnonymousBind":false,"enabled":false,"version":0,"level":0}],"inumConfig":{"configId":"local_inum","bindDN":"cn=directory manager","bindPassword":"*******","servers":["localhost:1636"],"maxConnections":10,"useSSL":true,"baseDNs":["ou=cache-refresh,o=site"],"primaryKey":null,"localPrimaryKey":null,"useAnonymousBind":false,"enabled":true,"version":0,"level":0},"targetConfig":{"configId":null,"bindDN":null,"bindPassword":null,"servers":[],"maxConnections":0,"useSSL":false,"baseDNs":[],"primaryKey":null,"localPrimaryKey":null,"useAnonymousBind":false,"enabled":false,"version":0,"level":0},"ldapSearchSizeLimit":1000,"keyAttributes":["uid"],"keyObjectClasses":["mailUser"],"sourceAttributes":["mail","cn","sn","accountStatus","givenName","displayName"],"customLdapFilter":"","updateMethod":"copy","defaultInumServer":true,"keepExternalPerson":true,"useSearchLimit":false,"attributeMapping":[{"source":"mail","destination":"mail"},{"source":"cn","destination":"cn"}],"snapshotFolder":"/var/gluu/identity/cr-snapshots","snapshotMaxCount":10}] ``` ``` 2020-03-07 21:57:45,329 ERROR [ForkJoinPool.commonPool-worker-0] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:204) - Exception happened while executing cache refresh synchronization org.gluu.persist.exception.operation.ConfigurationException: Failed to create LDAP bind connection pool! Result code: '48' ```

By Michael Schwartz staff 07 Mar 2020 at 9:47 p.m. CST

Michael Schwartz gravatar
oxTrust Cache Refresh does not currently support StartTLS. If you're a coder, you could probably submit a PR for oxTrust to implement this, because the underlying library we are using does support it. But demand for startTLS has been very low (you're the first one I remember asking for it in years). Use LDAPS if you want to keep it easy.

By Dan Parson user 07 Mar 2020 at 10:11 p.m. CST

Dan Parson gravatar
Ahhh Okay. Thank you for the update. That explains the issue with Bind Auth. Is it okay if we leave the case open if I have issues with switch to SSL?

By Michael Schwartz staff 07 Mar 2020 at 10:27 p.m. CST

Michael Schwartz gravatar
Open a new issue if you have trouble with LDAPS.