RE: JNDI ldaps Problem with SSO

Thu, 20 May 2021 23:38:00 -0700 

Hi Christopher

Enclosed is the stacktrace of the tomcat (localhost) 

On the DC side we see those messages: 

Then we see the same error events like we saw before already with the normal 
log level
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap message, data 0, 
v2580

Internal event: An LDAP client connection was closed because of an error. 
 
Client IP:
10.189.162.17:51240 
 
Additional Data 
Error value:
87 The parameter is incorrect. 
Internal ID:
c0c0095


Thank you 

Susan 

> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Donnerstag, 20. Mai 2021 18:37
> To: users@tomcat.apache.org
> Subject: Re: JNDI ldaps Problem with SSO
> 
> Susan,
> 
> On 5/18/21 16:58, susan.w...@swisscom.com wrote:
> > When we are using plain ldap 3268, all works fine with those settings:
> >
> >
> > Good:
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> >                       connectionURL="ldap://xxxxx.xxxx.com:3268";
> >                       userBase="DC=XXXINTRA,DC=CH"
> >                       userSubtree="true"
> >                       userSearch="(sAMAccountName={0})"
> >                       userRoleName="memberOf"
> >                       roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >   RA,DC=ch "
> >                       roleName="CN"
> >                       roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >                       roleSubtree="true"
> >                       roleNested="true" />
> >
> >
> > Its when we want to use ldaps with 3269 its failing:
> > bad:
> >
> >                <Realm className="org.apache.catalina.realm.JNDIRealm"
> >                       connectionURL="ldaps://xxxxx.xxxx.com:3269"
> >                       userBase="DC=XXXINTRA,DC=CH"
> >                       userSubtree="true"
> >                       userSearch="(sAMAccountName={0})"
> >                       userRoleName="memberOf"
> >                       roleBase="OU=PF00_App-
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> RA,DC=ch"
> >                      roleName="CN"
> >                       roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >                       roleSubtree="true"
> >                       roleNested="true" />
> >
> >
> > ldapsearch on port 3269 (ldaps) works fine from the same machine, but
> > yes, it's not exactly the same request
> >
> >
> > TEST ~]# ldapsearch -x -D
> > "cn=SA-PF00-Appway,OU=PF00_Appway-
> CoreService,OU=PF00_Appway,OU=PF00_Server,OU=PF00_Res,OU=PF00,dc
> =bcintra,dc=ch" -b "DC=bcintra,DC=ch" -W -H ldaps://bcintra.ch:3269 | more
> Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <DC=bcintra,DC=ch> with scope subtree # filter: (objectclass=*)
> > # requesting: ALL # Organization, Schema, Configuration, bcintra.ch
> >
> >
> >
> > We think, ssl-handshake is fine but bind is failing. Why?
> 
> What is the error you actually get? Can you pleae post the full stack trace
> and not just the message?
> 
> -chris
> 
> 
> >> -----Original Message-----
> >> From: Christopher Schultz <ch...@christopherschultz.net>
> >> Sent: Dienstag, 18. Mai 2021 18:02
> >> To: users@tomcat.apache.org
> >> Subject: Re: JNDI ldaps Problem with SSO
> >>
> >> Susan,
> >>
> >> On 5/18/21 09:43, susan.w...@swisscom.com wrote:
> >>> Hi all
> >>>
> >>> apache-tomcat-8.0.36
> >>>
> >>> java version "1.8.0_281"
> >>> Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java
> >>> HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode)
> >>>
> >>> We are having a problem with our Single sign On config.
> >>> When using ldap - all works well.
> >>>
> >>> When switiching to ldaps , the User loses to connection all together
> >>> (Server not reachable)
> >>>
> >>>
> >>>
> >>> server.xml
> >>>
> >>> Good:
> >>>               <Realm className="org.apache.catalina.realm.JNDIRealm"
> >>>                      connectionURL="ldap://xxxxx.xxxx.com:3268";
> >>>                      userBase="DC=XXXINTRA,DC=CH"
> >>>                      userSubtree="true"
> >>>                      userSearch="(sAMAccountName={0})"
> >>>                      userRoleName="memberOf"
> >>>                      roleBase="OU=PF00_App-
> >>
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >> RA,DC=ch "
> >>>                      roleName="CN"
> >>>                      roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >>>                      roleSubtree="true"
> >>>                      roleNested="true" />
> >>>
> >>> bad:
> >>>
> >>>               <Realm className="org.apache.catalina.realm.JNDIRealm"
> >>>                      connectionURL="ldaps://xxxxx.xxxx.com:3269"
> >>>                      userBase="DC=XXXINTRA,DC=CH"
> >>>                      userSubtree="true"
> >>>                      userSearch="(sAMAccountName={0})"
> >>>                      userRoleName="memberOf"
> >>>                      roleBase="OU=PF00_App-
> >>
> Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> >> RA,DC=ch"
> >>>                      roleName="CN"
> >>>                      roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> >>>                      roleSubtree="true"
> >>>                      roleNested="true" />
> >>>
> >>>
> >>> Connectivity to the DC is fine (ldapsearch with ldaps works),  SSL
> >> connection itself seems to be fine, Certificates are fine, we are
> >> sending the trustore as well. All is in the relevant cacerts too.
> >>> We have a https Server in Front and a proxy Setting to the tomcat.
> >>>
> >>> /usr/java/latest/bin/java
> >>> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_appway1/conf/log
> >>> gi
> >>> ng.properties
> >>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> >>> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/xxxxxxxxxxRootCore.jks
> >>> -Djavax.net.ssl.trustStorePassword=xxxxxx
> >>> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> >>> -Dnm.data.home=/opt/tomcat/data
> >>> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> >>> -
> Djava.security.krb5.conf=/opt/tomcat/tomcat8_appway1/conf/krb5.conf
> >>> -Djavax.security.auth.useSubjectCredsOnly=false
> >>> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> >>> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed
> >>> -classpath
> >>> /opt/tomcat/apache-tomcat-
> >> 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-
> >>> tomcat-8.0.36/bin/tomcat-juli.jar
> >>> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> >>> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> >>> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> >>> org.apache.catalina.startup.Bootstrap start
> >>>
> >>>
> >>>
> >>> Domain controller seems to close the connection. The Error is "The
> >> Parameter is incorrect", "The System cannot find the path specified."
> >> Its seems to happen, during the bind process, as if the DC can not
> >> decrypt our tomcat request:
> >>>
> >>> First two events are happening several times. After the last
> >>> anonymous
> >> bind is entered, the bind exited is done with the appway service account
> user.
> >> Right after that the error appears.
> >>> Internal event: Function ldap_bind entered.
> >>>          SID: S-1-5-7
> >>>          Source IP: 11.1xx.xxx.xxx:51240
> >>>          Operation identifier: 894498
> >>>          Data1:
> >>>          Data2: 1004335171
> >>>          Data3:
> >>>          Data4:
> >>> Internal event: Function ldap_bind exited.
> >>>          Elapsed time (ms): 0
> >>>          SID: S-1-5-7
> >>>          Source IP: 11.1xx.xxx.xxx::51240
> >>>          Operation identifier: 894498
> >>>          Data1:
> >>>          Data2: 1004335171
> >>>          Data3: 1004335171
> >>> Internal event: Function ldap_bind entered.
> >>>          SID: S-1-5-7
> >>>          Source IP: 11.1xx.xxx.xxx::51240
> >>>          Operation identifier: 894498
> >>>          Data1:
> >>>          Data2: 1004335203
> >>>          Data3:
> >>>          Data4:
> >>>
> >>> Internal event: Function ldap_bind exited.
> >>>          Elapsed time (ms): 0
> >>>          SID: S-1-5-21-576815021-3137181063-3029416097-6939
> >>>          Source IP: 11.1xx.xxx.xxx::51240
> >>>          Operation identifier: 894498
> >>>          Data1:
> >>>          Data2: 1004335203
> >>>          Data3: 1004335203
> >>>
> >>>
> >>> Then we see the same error events like we saw before already with
> >>> the normal log level Internal event: The LDAP server returned an error.
> >>>
> >>> Additional Data
> >>> Error value:
> >>> 00000057: LdapErr: DSID-0C0C0095, comment: Error decoding ldap
> >>> message, data 0, v2580
> >>>
> >>> Internal event: An LDAP client connection was closed because of an
> error.
> >>>
> >>> Client IP:
> >>> 11.1xx.xxx.xxx::51240
> >>>
> >>> Additional Data
> >>> Error value:
> >>> 87 The parameter is incorrect.
> >>> Internal ID:
> >>> c0c0095
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> In the App Log of the tomcat we see:
> >>>
> >>> /opt/tomcat/tomcat8_appway1/logs
> >>>
> >>>
> >>> localhost.2021-03-22.log
> >>>
> >>>
> >>> 22-Mar-2021 10:08:09.717 INFO [localhost-startStop-2]
> >> org.apache.catalina.core.ApplicationContext.log
> >> [CompressingFilter/1.7.1] CompressingFilter is being destroyed...
> >>> 22-Mar-2021 10:08:45.306 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log No Spring
> >>> WebApplicationInitializer types detected on classpath
> >>> 22-Mar-2021 10:10:02.552 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log
> >>> [CompressingFilter/1.7.1] CompressingFilter has initialized
> >>> 22-Mar-2021 10:10:02.910 INFO [localhost-startStop-1]
> >>> org.apache.catalina.core.ApplicationContext.log jolokia-agent: Using
> >>> policy access restrictor classpath:/jolokia-access.xml
> >>> 22-Mar-2021 10:10:21.896 SEVERE [http-nio-8080-exec-6]
> >>> org.apache.catalina.realm.JNDIRealm.authenticate Exception
> >>> performing authentication
> >>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
> LdapErr:
> >> DSID-0C0907E9, comment: In order to perform this operation a
> >> successful bind must be completed on the connection., data 0,
> >> v2580^@]; remaining name 'DC=BCINTRA,DC=CH'
> >>>
> >>>
> >>> 22-Mar-2021 10:16:18.580 SEVERE [http-nio-8080-exec-8]
> >>> org.apache.catalina.realm.JNDIRealm.getPrincipal Exception
> >>> performing authentication
> >>> javax.naming.NamingException: LDAP connection has been closed;
> >> remaining name 'DC=BCINTRA,DC=CH'
> >>>
> >>>
> >>>
> >>>
> >>> What are we missing?
> >>
> >> Because your AD server sees the connection, it's probably not a TLS
> >> handshake failure, but I was wondering if it was a TLS handshake failure.
> >> Recent Java versions have e.g. disabled TLSv1 and TLSv1.1, but I
> >> think that was done at 1.8 patch 291 and you are on patch 281
> >>
> >> Maybe you should be using port 3269 instead of 3268? Looks like 3269
> >> is for TLS and 3268 is for plaintext.
> >>
> >>
> >> You say that ldapsearch works. Can you post that command-line?
> >>
> >> -chris
> >>
> B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
> >> KKKKKKKKKCB•È[œÝXœØÜšX™KK[XZ[
> >>
> >> ˆ\Ù\œË][œÝXœØÜšX™PÛXØ]
> >> ˜\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[
> >>
> >> ˆ\Ù\œËZ[ÛXØ]
> >> ˜\XÚK›Ü™ÃBƒ
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to