Re: [xwiki-users] LDAP authentication fails as soon as using SSL (ldaps)

10 Feb 2016

      On 02/10/2016 09:26 AM, Thomas Mortagne wrote:
...
On Tue, Feb 9, 2016 at 6:34 PM, Frank Thommen
<[email protected]> wrote:
...
Maybe I can should rephrase the question: What certificates should go into
the keystore?
I retrieved the LDAP server's certificate through `openssl s_client -host
my.ldap.server -port 636` and added it with `keytool` into a keystore and
sest this as xwiki.authentication.ldap.ssl.keystore but the errors stay
almost the same.  To make it worse, the errors in catalina.out are not
always completely identical.  Trying to authenticate four times results in
e.g. three slightly different sets of error message.  Noone else is
currently accessing the Wiki.
But maybe the base problem is this one:
----------------
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection  - Connection to LDAP server [XXXX:389]
----------------
...
Why is XWiki trying to connect on port 389 even though I have
"xwiki.authentication.ldap.port=636"?
I can think of 3 possibilities for this kind of issue:
* you did not uncommented xwiki.authentication.ldap.port in xwiki.cfg
is /is/ uncommented
...
* you have xwiki.authentication.ldap.port set several times
no, it's set only a single time
...
* you have it set in XWikiPreference page (which override xwiki.cfg)
because you played with LDAP Application or with the page directly
Good thought: I had indeed the "LDAP Admin Application" installed 
temporarily but I've removed it again, because it only offered a subset 
of the settings I required.  Could it be, that the removal of the 
application did not remove (some of) its settings?  Where 
(filesystem/database) should I look for possible leftover settings? 
Using `grep` I cannot find any "ldap" reference in any file within 
$TOMCAT/webapps/xwiki/WEB-INF.

(additional question: Should I see this as a but in the application, if 
the removal doesn't remove all associated settings or is this rather a 
general XWiki issue?)
...
On the SSL side I'm really far from an expert since I never used it
with LDAP. All I know is that some users managed to do it. But anyway
if XWiki don't use the right port it's indeed the first thing to fix.
indeed :-)

frank
...
...
frank
On 02/09/2016 01:31 PM, Frank Thommen wrote:
...
Hi,
our freshly configured XWiki (7.4, running open SUSE 13.1 with Tomcat
8.0.30) works fine through LDAP but fails as soon as we switch to ldaps.
The current relevant settings for LDAP authentication in xwiki.cfg are:
---------------
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=OUR_LDAP_SERVER
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.ssl=0
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.validate_password=0
xwiki.authentication.ldap.password_field=userPassword
---------------
As soon as we change the settings to use SSL secured LDAP...
---------------
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl=1
---------------
...authentication fails and we get the error message in catalina.out
(debugging enabled according to
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableLD...)
that you can find at the end of this mail.  Connecting with the standard
LDAP tools (ldapsearch) via SSL works fine.
However: We haven't configured a keystore, as we are not in possession
ot the server's certificate.  ldapsearch only connects correctly with
TLS_REQCERT=never.  Could that be the problem with XWiki, too?  If yes,
is there a way to configure XWiki to ignore the certificate completely?
Cheers
Frank
catalina.out messages related to one failed LDAP authentication
===============================================================
[...]
2016-02-09 10:37:52,261
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE
u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2016-02-09 10:37:52,262
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try
to authenticate, it probably means the user is in non logged mode.
2016-02-09 10:37:52,265
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE
u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2016-02-09 10:37:52,333
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConfig      - ldap_group_classes: [groupofnames,
groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
groupofuniquenames, posixgroup, apple-group, group]
2016-02-09 10:37:52,336
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConfig      - ldap_group_memberfields: [member,
memberuid, uniquemember]
2016-02-09 10:37:52,355
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection  - Connecting to LDAP using SSL
2016-02-09 10:37:52,533
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection  - Connection to LDAP server
[XXXX:389]
2016-02-09 10:37:52,567
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection  - Binding to LDAP server with credentials
login=[XXXX]
2016-02-09 10:37:52,777
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP
bind failed with LDAPException.
          at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:196)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
          at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:122)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:306)
[xwiki-platform-ldap-authenticator-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182)
[xwiki-platform-ldap-authenticator-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129)
[xwiki-platform-ldap-authenticator-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3565)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at
org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
[xwiki-platform-security-bridge-7.4.jar:na]
          at
org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
[xwiki-platform-security-bridge-7.4.jar:na]
          at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3583)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4657)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:184)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
[struts-core-1.3.10.jar:1.3.10]
          at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
[struts-core-1.3.10.jar:1.3.10]
          at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
[struts-core-1.3.10.jar:1.3.10]
          at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
[struts-core-1.3.10.jar:1.3.10]
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
[servlet-api.jar:na]
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
[servlet-api.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:115)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
[xwiki-platform-wysiwyg-server-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
[tomcat-websocket.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
[xwiki-platform-container-servlet-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66)
[xwiki-platform-webdav-server-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
[xwiki-platform-container-servlet-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
[xwiki-platform-container-servlet-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:137)
[xwiki-platform-resource-servlet-7.4.jar:na]
          at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
[catalina.jar:8.0.30]
          at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
[catalina.jar:8.0.30]
          at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[catalina.jar:8.0.30]
          at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
[catalina.jar:8.0.30]
          at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[catalina.jar:8.0.30]
          at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
[catalina.jar:8.0.30]
          at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
[tomcat-coyote.jar:8.0.30]
          at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
[tomcat-coyote.jar:8.0.30]
          at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
[tomcat-coyote.jar:8.0.30]
          at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
[tomcat-coyote.jar:8.0.30]
          at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[na:1.7.0_95]
          at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[na:1.7.0_95]
          at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:8.0.30]
          at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95]
Caused by: com.novell.ldap.LDAPException: Connect Error
          at com.novell.ldap.Connection.writeMessage(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.Connection.writeMessage(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.Message.sendMessage(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.LDAPConnection.sendRequestToServer(Unknown
Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.LDAPConnection.bind(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.LDAPConnection.bind(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.LDAPConnection.bind(Unknown Source)
~[jldap-4.3.jar:na]
          at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:230)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
          at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:192)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
          ... 63 common frames omitted
Caused by: javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLException: java.net.SocketException: Connection reset
          at
sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
~[na:1.7.0_95]
          at
sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
~[na:1.7.0_95]
          at
sun.security.ssl.AppOutputStream.write(AppOutputStream.java:70)
~[na:1.7.0_95]
          ... 73 common frames omitted
Caused by: javax.net.ssl.SSLException: java.net.SocketException:
Connection reset
          at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
~[na:1.7.0_95]
          at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
~[na:1.7.0_95]
          at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874)
~[na:1.7.0_95]
          at
sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1838)
~[na:1.7.0_95]
          at
sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1783)
~[na:1.7.0_95]
          at sun.security.ssl.AppInputStream.read(AppInputStream.java:113)
~[na:1.7.0_95]
          at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
~[na:1.7.0_95]
          at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
~[jldap-4.3.jar:na]
          at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
~[jldap-4.3.jar:na]
          ... 1 common frames omitted
Caused by: java.net.SocketException: Connection reset
          at java.net.SocketInputStream.read(SocketInputStream.java:196)
~[na:1.7.0_95]
          at java.net.SocketInputStream.read(SocketInputStream.java:122)
~[na:1.7.0_95]
          at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
~[na:1.7.0_95]
          at sun.security.ssl.InputRecord.read(InputRecord.java:480)
~[na:1.7.0_95]
          at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
~[na:1.7.0_95]
          at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
~[na:1.7.0_95]
          at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:901)
~[na:1.7.0_95]
          at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
~[na:1.7.0_95]
          ... 4 common frames omitted
2016-02-09 10:37:52,786
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2016-02-09 10:37:52,870
[https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
[XXXX]
[...]
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
--
Frank Thommen           | HD-HuB / DKFZ Heidelberg
                        | [email protected]
                        | TP3:  +49-6221-42-3562 (Mo+Di)
                        | IPMB: +49-6221-54-5823 (Mi-Do)
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
-- 
Frank Thommen           | HD-HuB / DKFZ Heidelberg
                         | [email protected]
                         | +49-6221-54-5823 (Mo-Mi)
                         | +49-6221-42-3562 (Do-Fr)