Hi,

likely to be the reason your connection fails.

You have 2 options:
- make it so your client does not try to validate the self-signed certificate we provide. It should work then. There is no real reason to check the server's certificate in such a scenario, unless it"'s going to be a production server
- or set a signed certificate on the server


On 2022/09/08 17:07, Mariano Martinez Peck wrote:
Looks like I found the issue? I checked in the Event Viewer, and I found the following error:

"The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.
  The SSPI client process is ldaptest (PID: 4688)."

See attached.

So what's the path now? I must set trusted CA certified certificates to LDAPS to work?

Thanks in advance!



On Thu, Sep 8, 2022 at 11:58 AM Mariano Martinez Peck <marianop...@gmail.com <mailto:marianop...@gmail.com>> wrote:

    BTW, my dynamic language client is doing pretty much the same as
    this C example:
    
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/example-code-for-establishing-a-session-over-ssl?redirectedfrom=MSDN
 
<https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/example-code-for-establishing-a-session-over-ssl?redirectedfrom=MSDN>

    I compiled and run that example, and I also get the same error:

     >ldaptest.exe 127.0.0.1

    Connecting to host "127.0.0.1" ...
    Setting Protocol version to 3.
    Checking if SSL is enabled
    SSL not enabled.
      SSL being enabled...
    ldap_connect failed with 0x51.

     From what I understand, the 0x51 is the same as my
    "LDAP_SERVER_DOWN (81)"

    I tried changing 127.0.0.1 to localhost, 0.0.0.0 etc...they all had
    the same issue.


    thanks!


    On Thu, Sep 8, 2022 at 8:33 AM Mariano Martinez Peck
    <marianop...@gmail.com <mailto:marianop...@gmail.com>> wrote:

        Hi Emmanuel,

        Looks like my client is not specifying any concrete version.
        However, I made sure to allow all of them (at least as a test)
        on the server. See attached screenshot.

        Thanks!



        On Thu, Sep 8, 2022 at 5:11 AM Emmanuel Lécharny
        <elecha...@gmail.com <mailto:elecha...@gmail.com>> wrote:

            Hi,

            which TLS version are you using ?

            On 2022/09/07 23:55, Mariano Martinez Peck wrote:
             > Hi everyone,
             >
             > I am using a dynamic language that via FFI it wraps the
            wldap32 dll. I am
             > using ApacheDS and I can perfectly connect to it from my
            client using
             > normal LDAP. However, I cannot connect to it when using
            LDAPS. Yes, the
             > checkbox is checked to start LDAP (on port 10636) and
            everything seems
             > fine. In fact, from within ApacheDS I can open a
            connection to LDAPS and it
             > works. The problem is from my client.
             >
             > What I noticed is that in the logs, the following is printed:
             >
             > [17:28:23] WARN
            [org.apache.directory.server.ldap.LdapProtocolHandler] -
             > Unexpected exception forcing session to close: sending
            disconnect notice to
             > client.
             > javax.net.ssl.SSLException: Improper close state: Status = OK
             > HandshakeStatus = NEED_WRAP
             > bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 1
             > at
            
org.apache.mina.filter.ssl.SslHandler.closeOutbound(SslHandler.java:497)
             > at
            
org.apache.mina.filter.ssl.SslFilter.initiateClosure(SslFilter.java:762)
             > at
            org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:693)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
             > at
             >
            
org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
             > at
             >
            
org.apache.mina.filter.executor.ExecutorFilter.filterClose(ExecutorFilter.java:608)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
             > at
             >
            
org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:769)
             > at
             >
            
org.apache.mina.core.session.AbstractIoSession.closeNow(AbstractIoSession.java:353)
             > at
             >
            
org.apache.mina.core.service.IoHandlerAdapter.inputClosed(IoHandlerAdapter.java:102)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.inputClosed(DefaultIoFilterChain.java:997)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
             > at
             >
            
org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
             > at
             >
            
org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
             > at
             >
            
org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
             > at
             >
            
org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
             > at
             >
            
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireInputClosed(DefaultIoFilterChain.java:728)
             > at
             >
            
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:556)
             > at
             >
            
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
             > at
             >
            
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
             > at
             >
            
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
             > at
             >
            
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
             > at
             >
            
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
             > at
             >
            
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
             > at
             >
            
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
             > at java.base/java.lang.Thread.run(Thread.java:829)
             >
             >
             > On my C client, I get the error "LDAP_SERVER_DOWN (81)"
            when calling the
             > function ldap_simple_bind_s()
             >
             >
             > Does this tell anything to anyone?
             >
             > Thanks in advance!
             >
             >

-- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
            T. +33 (0)4 89 97 36 50
            P. +33 (0)6 08 33 32 61
            emmanuel.lecha...@busit.com
            <mailto:emmanuel.lecha...@busit.com> https://www.busit.com/
            <https://www.busit.com/>

            
---------------------------------------------------------------------
            To unsubscribe, e-mail:
            users-unsubscr...@directory.apache.org
            <mailto:users-unsubscr...@directory.apache.org>
            For additional commands, e-mail:
            users-h...@directory.apache.org
            <mailto:users-h...@directory.apache.org>



-- Mariano Martinez Peck
        Email: marianop...@gmail.com <mailto:marianop...@gmail.com>
        Twitter: @MartinezPeck
        LinkedIn: www.linkedin.com/in/mariano-martinez-peck
        <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/>
        Blog: https://marianopeck.wordpress.com/
        <https://marianopeck.wordpress.com/>



-- Mariano Martinez Peck
    Email: marianop...@gmail.com <mailto:marianop...@gmail.com>
    Twitter: @MartinezPeck
    LinkedIn: www.linkedin.com/in/mariano-martinez-peck
    <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/>
    Blog: https://marianopeck.wordpress.com/
    <https://marianopeck.wordpress.com/>



--
Mariano Martinez Peck
Email: marianop...@gmail.com <mailto:marianop...@gmail.com>
Twitter: @MartinezPeck
LinkedIn: www.linkedin.com/in/mariano-martinez-peck <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/> Blog: https://marianopeck.wordpress.com/ <https://marianopeck.wordpress.com/>

--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org

Reply via email to