By: Surendra Khatana named 16 Jul 2019 at 2:52 a.m. CDT

20 Responses
Surendra Khatana gravatar
Hi, I have Gluu installed in a Ubuntu 16 virtual machine vagrant box. All of the services are running fine and the server is accessible from my host machine (windows laptop). I am not able to connect to OpenDJ using Apache DS studio. The connection is successful but the authentication seems to fail. I have tried following so far : - Searched for similar tickets on support site. - Exported opendj.crt and added that to Apache DS Studio but no success - Tried creating SSL tunnel as mentioned in the Gluu documentation, no success there as well - Disabled all firewalls in ubuntu ldaptools works as expected from with in the ubuntu server but it doesn't work from the host machine.

By Surendra Khatana named 16 Jul 2019 at 2:53 a.m. CDT

Surendra Khatana gravatar
Following is excerpt from my vagrant file which exposes the opendj ports to my host machine : ``` # Create a forwarded port mapping which allows access to a specific port # within the machine from a port on the host machine. In the example below, # accessing "localhost:8080" will access port 80 on the guest machine. # NOTE: This will enable public access to the opened port # config.vm.network "forwarded_port", guest: 80, host: 8080 config.vm.network "forwarded_port", guest: 1636, host: 1636 config.vm.network "forwarded_port", guest: 4444, host: 4444 ```

By Surendra Khatana named 16 Jul 2019 at 2:57 a.m. CDT

Surendra Khatana gravatar
Apache DS Studio Screenshots :

By Surendra Khatana named 16 Jul 2019 at 2:58 a.m. CDT

Surendra Khatana gravatar
Apache DS Studio Screenshots :

By Michael Schwartz staff 16 Jul 2019 at 3:30 a.m. CDT

Michael Schwartz gravatar
One thing is I don't think you should use StartTLS if you're using ldaps.

By Surendra Khatana named 16 Jul 2019 at 3:32 a.m. CDT

Surendra Khatana gravatar
That was one of option I was trying, I have tried all of the available options there : no Encryption, Ldaps and startTLS..

By Aliaksandr Samuseu staff 16 Jul 2019 at 8:12 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Surendra. >The connection is successful but the authentication seems to fail What bind DN do you use when authenticating to OpenDJ? Or what username? Are you sure the credentials you provide are 100% correct?

By Surendra Khatana named 16 Jul 2019 at 8:16 a.m. CDT

Surendra Khatana gravatar
Hi, It is shown in the screenshot that I have attached. Bind DN used was cn=directory manager. I am 100% sure that the credentials are correct. Same credentials are working when running ldapsearch from with in the server.

By Michael Schwartz staff 16 Jul 2019 at 8:27 a.m. CDT

Michael Schwartz gravatar
Can you add the LDAP logs? Do you see the connection in the access logs? Any other hints there?

By Surendra Khatana named 16 Jul 2019 at 9:05 a.m. CDT

Surendra Khatana gravatar
Error logs from Apache DS Studio when Encryption method is set to None in connection : ``` Error while opening connection - [LDAP: error code 2 - PROTOCOL_ERROR: The server will disconnect!] java.lang.Exception: [LDAP: error code 2 - PROTOCOL_ERROR: The server will disconnect!] at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1418) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$11(DirectoryApiConnectionWrapper.java:1386) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:502) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1312) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:511) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:325) at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114) at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:60) ``` Error logs from Apache DS Studio when Encryption method is set to LDAPS in connection: ``` Error while opening connection - ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context org.apache.directory.api.ldap.model.exception.LdapException: ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context at org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:695) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$1.run(DirectoryApiConnectionWrapper.java:247) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1312) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doConnect(DirectoryApiConnectionWrapper.java:281) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.connect(DirectoryApiConnectionWrapper.java:172) at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:111) at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:60) Caused by: org.apache.directory.api.ldap.model.exception.LdapOperationException: ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed at org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:688) ... 7 more ``` I will also check the opendj logs on the server and share .

By Michael Schwartz staff 16 Jul 2019 at 9:09 a.m. CDT

Michael Schwartz gravatar
That's pretty clear. You must import the SSL cert for the LDAP server in the truststore the JRE for ApacheDS is using...

By Surendra Khatana named 16 Jul 2019 at 9:13 a.m. CDT

Surendra Khatana gravatar
I have already added the cert to Apache DS to permanently trusted certs (please check the attached screenshot). Let me try adding to the JRE also.

By Michael Schwartz staff 16 Jul 2019 at 9:20 a.m. CDT

Michael Schwartz gravatar
I saw that, but something tells me it didn't work. I would import the cert directly into the cacerts used by Apache Directory Studio.

By Surendra Khatana named 16 Jul 2019 at 9:26 a.m. CDT

Surendra Khatana gravatar
Imported the opend.crt to cacerts but unfortunately same error !! ``` C:\Program Files\Java\jdk1.8.0_211\jre\lib\security>keytool -importcert -file opendj.crt -keystore cacerts -alias "opendj" Enter keystore password: Owner: CN=localhost, O=OpenDJ RSA Self-Signed Certificate Issuer: CN=localhost, O=OpenDJ RSA Self-Signed Certificate Serial number: 19a7e3e5 Valid from: Sat Nov 03 15:40:25 EET 2018 until: Fri Oct 29 16:40:25 EEST 2038 Certificate fingerprints: MD5: FD:AB:EC:92:B0:1B:3F:9A:1E:D4:F9:F1:0B:6B:9A:CC SHA1: E8:0A:E5:39:51:71:AF:AC:5A:60:B6:08:BC:18:10:68:32:03:D5:B5 SHA256: FF:36:83:78:AD:83:FF:53:91:9E:80:A8:7E:50:19:5B:7B:27:9C:66:A6:18:2C:75:DE:86:62:78:03:BB:65:4B Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security> ```

By Michael Schwartz staff 16 Jul 2019 at 9:35 a.m. CDT

Michael Schwartz gravatar
You are sure this is the JRE used by your Apache Directory Studio? If so, it could be a bug in the ApacheDS studio code which is outside the realm of stuff we can help you with. Maybe post on their forums, and see if there is a way to "trust all"

By Surendra Khatana named 16 Jul 2019 at 9:38 a.m. CDT

Surendra Khatana gravatar
Yeah, it is the same JRE. Thanks for your help so far on this one :). Which ldap tool do you recommend to use ? Which one do you use internally ? Thanks.

By William Lowe staff 18 Jul 2019 at 10:46 a.m. CDT

William Lowe gravatar
Most people here use [JXplorer](http://jxplorer.org/).

By Surendra Khatana named 19 Jul 2019 at 1:28 a.m. CDT

Surendra Khatana gravatar
Not able to connect using JXplorer either. It might be related to vagrant environment networking. Do you guys use Vagrant internally ?

By Thomas Gasmyr Mougang staff 19 Jul 2019 at 3:33 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi Khatana, I'm adding a screenshot of a valid config here for jxplorer.

By Thomas Gasmyr Mougang staff 19 Jul 2019 at 3:35 a.m. CDT

Thomas Gasmyr Mougang gravatar
Also i noticed from my own experience that sometimes using **127.0.0.1** as hostname don't work. So better to test both **127.0.0.1** and **localhost**.

By Surendra Khatana named 19 Jul 2019 at 8:01 a.m. CDT

Surendra Khatana gravatar
This is not resolved yet but let's close this ticket. This is an issue when Gluu is set up in a vagrant box.