Re: [xwiki-users] LDAP authentication fails as soon as using SSL (ldaps)

Hi, our freshly configured XWiki (7.4, running open SUSE 13.1 with Tomcat 8.0.30) works fine through LDAP but fails as soon as we switch to ldaps. The current relevant settings for LDAP authentication in xwiki.cfg are: --------------- xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl xwiki.authentication.ldap=1 xwiki.authentication.ldap.server=OUR_LDAP_SERVER xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.trylocal=1 xwiki.authentication.ldap.ssl=0 xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider xwiki.authentication.ldap.validate_password=0 xwiki.authentication.ldap.password_field=userPassword --------------- As soon as we change the settings to use SSL secured LDAP... --------------- xwiki.authentication.ldap.port=636 xwiki.authentication.ldap.ssl=1 --------------- ...authentication fails and we get the error message in catalina.out (debugging enabled according to http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…) that you can find at the end of this mail. Connecting with the standard LDAP tools (ldapsearch) via SSL works fine. However: We haven't configured a keystore, as we are not in possession ot the server's certificate. ldapsearch only connects correctly with TLS_REQCERT=never. Could that be the problem with XWiki, too? If yes, is there a way to configure XWiki to ignore the certificate completely? Cheers Frank catalina.out messages related to one failed LDAP authentication =============================================================== [...] 2016-02-09 10:37:52,261 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 2016-02-09 10:37:52,262 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode. 2016-02-09 10:37:52,265 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 2016-02-09 10:37:52,333 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, groupofuniquenames, posixgroup, apple-group, group] 2016-02-09 10:37:52,336 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields: [member, memberuid, uniquemember] 2016-02-09 10:37:52,355 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connecting to LDAP using SSL 2016-02-09 10:37:52,533 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server [XXXX:389] 2016-02-09 10:37:52,567 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server with credentials login=[XXXX] 2016-02-09 10:37:52,777 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException. at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:196) ~[xwiki-platform-ldap-authenticator-7.4.jar:na] at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:122) ~[xwiki-platform-ldap-authenticator-7.4.jar:na] at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:306) [xwiki-platform-ldap-authenticator-7.4.jar:na] at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182) [xwiki-platform-ldap-authenticator-7.4.jar:na] at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129) [xwiki-platform-ldap-authenticator-7.4.jar:na] at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3565) [xwiki-platform-legacy-oldcore-7.4.jar:na] at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241) [xwiki-platform-security-bridge-7.4.jar:na] at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271) [xwiki-platform-security-bridge-7.4.jar:na] at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3583) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4657) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339) [xwiki-platform-legacy-oldcore-7.4.jar:na] at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:184) [xwiki-platform-legacy-oldcore-7.4.jar:na] at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425) [struts-core-1.3.10.jar:1.3.10] at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228) [struts-core-1.3.10.jar:1.3.10] at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) [struts-core-1.3.10.jar:1.3.10] at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462) [struts-core-1.3.10.jar:1.3.10] at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) [servlet-api.jar:na] at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:115) [xwiki-platform-legacy-oldcore-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127) [xwiki-platform-wysiwyg-server-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) [xwiki-platform-container-servlet-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66) [xwiki-platform-webdav-server-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) [xwiki-platform-container-servlet-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) [xwiki-platform-container-servlet-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:137) [xwiki-platform-resource-servlet-7.4.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.30] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [catalina.jar:8.0.30] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.30] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [catalina.jar:8.0.30] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [catalina.jar:8.0.30] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.30] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) [catalina.jar:8.0.30] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.30] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) [catalina.jar:8.0.30] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-coyote.jar:8.0.30] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-coyote.jar:8.0.30] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-coyote.jar:8.0.30] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-coyote.jar:8.0.30] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_95] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_95] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.30] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95] Caused by: com.novell.ldap.LDAPException: Connect Error at com.novell.ldap.Connection.writeMessage(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.Connection.writeMessage(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.Message.sendMessage(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.MessageAgent.sendMessage(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.LDAPConnection.sendRequestToServer(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na] at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:230) ~[xwiki-platform-ldap-authenticator-7.4.jar:na] at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:192) ~[xwiki-platform-ldap-authenticator-7.4.jar:na] ... 63 common frames omitted Caused by: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520) ~[na:1.7.0_95] at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:70) ~[na:1.7.0_95] ... 73 common frames omitted Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1838) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1783) ~[na:1.7.0_95] at sun.security.ssl.AppInputStream.read(AppInputStream.java:113) ~[na:1.7.0_95] at sun.security.ssl.AppInputStream.read(AppInputStream.java:69) ~[na:1.7.0_95] at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source) ~[jldap-4.3.jar:na] at com.novell.ldap.Connection$ReaderThread.run(Unknown Source) ~[jldap-4.3.jar:na] ... 1 common frames omitted Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:196) ~[na:1.7.0_95] at java.net.SocketInputStream.read(SocketInputStream.java:122) ~[na:1.7.0_95] at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) ~[na:1.7.0_95] at sun.security.ssl.InputRecord.read(InputRecord.java:480) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344) ~[na:1.7.0_95] at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:901) ~[na:1.7.0_95] at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) ~[na:1.7.0_95] ... 4 common frames omitted 2016-02-09 10:37:52,786 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB 2016-02-09 10:37:52,870 [https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [XXXX] [...] _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users