Re: [xwiki-users] LDAP authentication fails as soon as using SSL (ldaps)

On Tue, Feb 9, 2016 at 6:34 PM, Frank Thommen <f.thommen(a)dkfz-heidelberg.de> wrote: > > > Maybe I can should rephrase the question: What certificates should go > into > the keystore? > > I retrieved the LDAP server's certificate through `openssl s_client > -host > my.ldap.server -port 636` and added it with `keytool` into a keystore > and > sest this as xwiki.authentication.ldap.ssl.keystore but the errors stay > almost the same. To make it worse, the errors in catalina.out are not > always completely identical. Trying to authenticate four times results > in > e.g. three slightly different sets of error message. Noone else is > currently accessing the Wiki. > > > But maybe the base problem is this one: > > ---------------- > [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG > c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server [XXXX:389] > ---------------- > > Why is XWiki trying to connect on port 389 even though I have > "xwiki.authentication.ldap.port=636"? I can think of 3 possibilities for this kind of issue: * you did not uncommented xwiki.authentication.ldap.port in xwiki.cfg

* you have xwiki.authentication.ldap.port set several times

* you have it set in XWikiPreference page (which override xwiki.cfg) because you played with LDAP Application or with the page directly

On the SSL side I'm really far from an expert since I never used it with LDAP. All I know is that some users managed to do it. But anyway if XWiki don't use the right port it's indeed the first thing to fix.

> > frank > > > > > On 02/09/2016 01:31 PM, Frank Thommen wrote: >> >> >> >> Hi, >> >> our freshly configured XWiki (7.4, running open SUSE 13.1 with Tomcat >> 8.0.30) works fine through LDAP but fails as soon as we switch to >> ldaps. >> >> The current relevant settings for LDAP authentication in xwiki.cfg >> are: >> --------------- >> >> >> >> xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl >> xwiki.authentication.ldap=1 >> xwiki.authentication.ldap.server=OUR_LDAP_SERVER >> xwiki.authentication.ldap.port=389 >> xwiki.authentication.ldap.trylocal=1 >> xwiki.authentication.ldap.ssl=0 >> >> >> >> xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider >> xwiki.authentication.ldap.validate_password=0 >> xwiki.authentication.ldap.password_field=userPassword >> --------------- >> >> As soon as we change the settings to use SSL secured LDAP... >> --------------- >> xwiki.authentication.ldap.port=636 >> xwiki.authentication.ldap.ssl=1 >> --------------- >> >> ...authentication fails and we get the error message in catalina.out >> (debugging enabled according to >> >> >> >> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…) >> that you can find at the end of this mail. Connecting with the >> standard >> LDAP tools (ldapsearch) via SSL works fine. >> >> However: We haven't configured a keystore, as we are not in possession >> ot the server's certificate. ldapsearch only connects correctly with >> TLS_REQCERT=never. Could that be the problem with XWiki, too? If >> yes, >> is there a way to configure XWiki to ignore the certificate >> completely? >> >> >> Cheers >> Frank >> >> >> >> >> catalina.out messages related to one failed LDAP authentication >> =============================================================== >> >> [...] >> 2016-02-09 10:37:52,261 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE >> u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication >> 2016-02-09 10:37:52,262 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> u.i.L.XWikiLDAPAuthServiceImpl - The provided user is null. We don't >> try >> to authenticate, it probably means the user is in non logged mode. >> 2016-02-09 10:37:52,265 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE >> u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication >> 2016-02-09 10:37:52,333 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, >> groupwisedistributionlist, dynamicgroup, dynamicgroupaux, >> groupofuniquenames, posixgroup, apple-group, group] >> 2016-02-09 10:37:52,336 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields: [member, >> memberuid, uniquemember] >> 2016-02-09 10:37:52,355 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPConnection - Connecting to LDAP using SSL >> 2016-02-09 10:37:52,533 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server >> [XXXX:389] >> >> 2016-02-09 10:37:52,567 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server with >> credentials >> login=[XXXX] >> 2016-02-09 10:37:52,777 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: >> LDAP >> bind failed with LDAPException. >> at >> >> >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:196) >> ~[xwiki-platform-ldap-authenticator-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:122) >> ~[xwiki-platform-ldap-authenticator-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:306) >> [xwiki-platform-ldap-authenticator-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182) >> [xwiki-platform-ldap-authenticator-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129) >> [xwiki-platform-ldap-authenticator-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3565) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> >> >> >> org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241) >> [xwiki-platform-security-bridge-7.4.jar:na] >> at >> >> >> >> org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271) >> [xwiki-platform-security-bridge-7.4.jar:na] >> at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3583) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4657) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:184) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> >> >> >> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425) >> [struts-core-1.3.10.jar:1.3.10] >> at >> >> >> >> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228) >> [struts-core-1.3.10.jar:1.3.10] >> at >> >> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) >> [struts-core-1.3.10.jar:1.3.10] >> at >> org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462) >> [struts-core-1.3.10.jar:1.3.10] >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:648) >> [servlet-api.jar:na] >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:729) >> [servlet-api.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:115) >> [xwiki-platform-legacy-oldcore-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127) >> [xwiki-platform-wysiwyg-server-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >> [tomcat-websocket.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) >> [xwiki-platform-container-servlet-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> >> com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66) >> [xwiki-platform-webdav-server-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) >> [xwiki-platform-container-servlet-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) >> [xwiki-platform-container-servlet-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:137) >> [xwiki-platform-resource-servlet-7.4.jar:na] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) >> [catalina.jar:8.0.30] >> at >> >> >> >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) >> [tomcat-coyote.jar:8.0.30] >> at >> >> >> >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) >> [tomcat-coyote.jar:8.0.30] >> at >> >> >> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) >> [tomcat-coyote.jar:8.0.30] >> at >> >> >> >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) >> [tomcat-coyote.jar:8.0.30] >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> [na:1.7.0_95] >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> [na:1.7.0_95] >> at >> >> >> >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> [tomcat-util.jar:8.0.30] >> at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95] >> Caused by: com.novell.ldap.LDAPException: Connect Error >> at com.novell.ldap.Connection.writeMessage(Unknown Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.Connection.writeMessage(Unknown Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.Message.sendMessage(Unknown Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.MessageAgent.sendMessage(Unknown Source) >> ~[jldap-4.3.jar:na] >> at >> com.novell.ldap.LDAPConnection.sendRequestToServer(Unknown >> Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.LDAPConnection.bind(Unknown Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.LDAPConnection.bind(Unknown Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.LDAPConnection.bind(Unknown Source) >> ~[jldap-4.3.jar:na] >> at >> >> >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:230) >> ~[xwiki-platform-ldap-authenticator-7.4.jar:na] >> at >> >> >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:192) >> ~[xwiki-platform-ldap-authenticator-7.4.jar:na] >> ... 63 common frames omitted >> Caused by: javax.net.ssl.SSLException: Connection has been shutdown: >> javax.net.ssl.SSLException: java.net.SocketException: Connection reset >> at >> sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:70) >> ~[na:1.7.0_95] >> ... 73 common frames omitted >> Caused by: javax.net.ssl.SSLException: java.net.SocketException: >> Connection reset >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874) >> ~[na:1.7.0_95] >> at >> >> sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1838) >> ~[na:1.7.0_95] >> at >> >> sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1783) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.AppInputStream.read(AppInputStream.java:113) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.AppInputStream.read(AppInputStream.java:69) >> ~[na:1.7.0_95] >> at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown >> Source) >> ~[jldap-4.3.jar:na] >> at com.novell.ldap.Connection$ReaderThread.run(Unknown >> Source) >> ~[jldap-4.3.jar:na] >> ... 1 common frames omitted >> Caused by: java.net.SocketException: Connection reset >> at >> java.net.SocketInputStream.read(SocketInputStream.java:196) >> ~[na:1.7.0_95] >> at >> java.net.SocketInputStream.read(SocketInputStream.java:122) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >> ~[na:1.7.0_95] >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946) >> ~[na:1.7.0_95] >> at >> >> >> >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:901) >> ~[na:1.7.0_95] >> at >> sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> ~[na:1.7.0_95] >> ... 4 common frames omitted >> 2016-02-09 10:37:52,786 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki >> DB >> 2016-02-09 10:37:52,870 >> [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user >> [XXXX] >> [...] >> _______________________________________________ >> users mailing list >> users(a)xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> > > -- > Frank Thommen | HD-HuB / DKFZ Heidelberg > | f.thommen(a)dkfz-heidelberg.de > | TP3: +49-6221-42-3562 (Mo+Di) > | IPMB: +49-6221-54-5823 (Mi-Do) > > > _______________________________________________ > users mailing list > users(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users