[
https://issues.apache.org/jira/browse/GERONIMO-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12566123#action_12566123
]
Sakari Maaranen commented on GERONIMO-3812:
-------------------------------------------
I also created a LDAP security realm with LDAPS URL and SSL protocol. This
gives the following errors in geronimo.log:
2008-02-06 07:51:36,080 WARN SecurityRealmPortlet: Test login failed
javax.security.auth.login.LoginException: LDAP Error
at
org.apache.geronimo.security.realm.providers.LDAPLoginModule.login(LDAPLoginModule.java:161)
at
org.apache.geronimo.console.util.KernelManagementHelper.testLoginModule(KernelManagementHelper.java:423)
at
org.apache.geronimo.console.util.PortletManager.testLoginModule(PortletManager.java:168)
at
org.apache.geronimo.console.securitymanager.realm.SecurityRealmPortlet.actionAttemptLogin(SecurityRealmPortlet.java:340)
at
org.apache.geronimo.console.securitymanager.realm.SecurityRealmPortlet.processAction(SecurityRealmPortlet.java:221)
at
org.apache.pluto.core.PortletServlet.dispatch(PortletServlet.java:229)
at org.apache.pluto.core.PortletServlet.doGet(PortletServlet.java:158)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
...
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.naming.CommunicationException: simple bind failed:
localhost:636 [Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
...
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
...
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
...
I think it means that some way of setting up trusted certificates for LDAP
security realms is needed. Otherwise Geronimo cannot connect to LDAPS, because
it cannot trust the LDAPS certificate.
> Geronimo 2.0.2 misses ApacheDS (LDAP) function
> ----------------------------------------------
>
> Key: GERONIMO-3812
> URL: https://issues.apache.org/jira/browse/GERONIMO-3812
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: documentation, Plugins
> Affects Versions: 2.0.2
> Environment: Debian Linux, java version "1.5.0_14",
> geronimo-tomcat6-jee5-2.0.2
> Reporter: Sakari Maaranen
>
> Geronimo documentation at
> http://cwiki.apache.org/GMOxDOC20/ldap-sample-application.html talks about
> org.apache.geronimo.configs/directory in system modules, but that does not
> exist in Geronimo 2.0.2.
> There is also a reference to Geronimo plugins. However, when I go to Plugins
> in the Geronimo console and search the geronimo-2.0.2 reposityory there is
> nothing related to ApacheDS or Directory. Like if the ApacheDS function was
> completely missing.
> The ApacheDS plugin should be added to the 2.0.2 plugin repository. The
> documentation should be updated to give the steps how to install ApacheDS
> with or without the plugin. The LDAP demo is useless if ApacheDS is
> unavailable.
> I found this much earlier discussion on the topic:
> http://www.mail-archive.com/[email protected]/msg52749.html
> http://www.mail-archive.com/[email protected]/msg55148.html
> Frankly, I don't think that the forward compatibility is so much an issue,
> but 2.0.2 completely lacking LDAP server. Would be better have it, even
> without forward compatibility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
