Hi Emmanuel,

Thanks for your suggestions. Luckily, I found another one, that I wanted to
share just in case someone is in the same situation.

Following this guide:
https://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html    I
created a custom certificate. Of course, even if I followed all those steps
and I plugged the generated cert into ApacheDS, I would still have the same
issue. However, I realized that there is a way you can tell Windows to
"trust" your self signed certificate. I followed this guide:
https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate.
More precisely, I took the generated certificate of the previous step, and
I did the steps 5 to 7, which means basically to install the certificate in
what Windows calls the "Trusted Root Certification Authorities store".

After that, I can successfully connect :)

Thanks a lot for your help!


On Thu, Sep 8, 2022 at 1:35 PM Emmanuel Lécharny <elecha...@gmail.com>
wrote:

> Hi,
>
> likely to be the reason your connection fails.
>
> You have 2 options:
> - make it so your client does not try to validate the self-signed
> certificate we provide. It should work then. There is no real reason to
> check the server's certificate in such a scenario, unless it"'s going to
> be a production server
> - or set a signed certificate on the server
>
>
> On 2022/09/08 17:07, Mariano Martinez Peck wrote:
> > Looks like I found the issue? I checked in the Event Viewer, and I found
> > the following error:
> >
> > "The certificate received from the remote server was issued by an
> > untrusted certificate authority. Because of this, none of the data
> > contained in the certificate can be validated. The TLS connection
> > request has failed. The attached data contains the server certificate.
> >   The SSPI client process is ldaptest (PID: 4688)."
> >
> > See attached.
> >
> > So what's the path now? I must set trusted CA certified certificates to
> > LDAPS to work?
> >
> > Thanks in advance!
> >
> >
> >
> > On Thu, Sep 8, 2022 at 11:58 AM Mariano Martinez Peck
> > <marianop...@gmail.com <mailto:marianop...@gmail.com>> wrote:
> >
> >     BTW, my dynamic language client is doing pretty much the same as
> >     this C example:
> >
> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/example-code-for-establishing-a-session-over-ssl?redirectedfrom=MSDN
> <
> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/example-code-for-establishing-a-session-over-ssl?redirectedfrom=MSDN
> >
> >
> >     I compiled and run that example, and I also get the same error:
> >
> >      >ldaptest.exe 127.0.0.1
> >
> >     Connecting to host "127.0.0.1" ...
> >     Setting Protocol version to 3.
> >     Checking if SSL is enabled
> >     SSL not enabled.
> >       SSL being enabled...
> >     ldap_connect failed with 0x51.
> >
> >      From what I understand, the 0x51 is the same as my
> >     "LDAP_SERVER_DOWN (81)"
> >
> >     I tried changing 127.0.0.1 to localhost, 0.0.0.0 etc...they all had
> >     the same issue.
> >
> >
> >     thanks!
> >
> >
> >     On Thu, Sep 8, 2022 at 8:33 AM Mariano Martinez Peck
> >     <marianop...@gmail.com <mailto:marianop...@gmail.com>> wrote:
> >
> >         Hi Emmanuel,
> >
> >         Looks like my client is not specifying any concrete version.
> >         However, I made sure to allow all of them (at least as a test)
> >         on the server. See attached screenshot.
> >
> >         Thanks!
> >
> >
> >
> >         On Thu, Sep 8, 2022 at 5:11 AM Emmanuel Lécharny
> >         <elecha...@gmail.com <mailto:elecha...@gmail.com>> wrote:
> >
> >             Hi,
> >
> >             which TLS version are you using ?
> >
> >             On 2022/09/07 23:55, Mariano Martinez Peck wrote:
> >              > Hi everyone,
> >              >
> >              > I am using a dynamic language that via FFI it wraps the
> >             wldap32 dll. I am
> >              > using ApacheDS and I can perfectly connect to it from my
> >             client using
> >              > normal LDAP. However, I cannot connect to it when using
> >             LDAPS. Yes, the
> >              > checkbox is checked to start LDAP (on port 10636) and
> >             everything seems
> >              > fine. In fact, from within ApacheDS I can open a
> >             connection to LDAPS and it
> >              > works. The problem is from my client.
> >              >
> >              > What I noticed is that in the logs, the following is
> printed:
> >              >
> >              > [17:28:23] WARN
> >             [org.apache.directory.server.ldap.LdapProtocolHandler] -
> >              > Unexpected exception forcing session to close: sending
> >             disconnect notice to
> >              > client.
> >              > javax.net.ssl.SSLException: Improper close state: Status
> = OK
> >              > HandshakeStatus = NEED_WRAP
> >              > bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 1
> >              > at
> >
>  org.apache.mina.filter.ssl.SslHandler.closeOutbound(SslHandler.java:497)
> >              > at
> >
>  org.apache.mina.filter.ssl.SslFilter.initiateClosure(SslFilter.java:762)
> >              > at
> >
>  org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:693)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
> >              > at
> >              >
> >
>  
> org.apache.mina.filter.executor.ExecutorFilter.filterClose(ExecutorFilter.java:608)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:769)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.session.AbstractIoSession.closeNow(AbstractIoSession.java:353)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.service.IoHandlerAdapter.inputClosed(IoHandlerAdapter.java:102)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.inputClosed(DefaultIoFilterChain.java:997)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireInputClosed(DefaultIoFilterChain.java:728)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:556)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
> >              > at
> >              >
> >
>  
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
> >              > at
> >              >
> >
>  
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> >              > at
> >              >
> >
>  
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> >              > at
> >              >
> >
>  
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> >              > at java.base/java.lang.Thread.run(Thread.java:829)
> >              >
> >              >
> >              > On my C client, I get the error "LDAP_SERVER_DOWN (81)"
> >             when calling the
> >              > function ldap_simple_bind_s()
> >              >
> >              >
> >              > Does this tell anything to anyone?
> >              >
> >              > Thanks in advance!
> >              >
> >              >
> >
> >             --
> >             *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200
> NICE
> >             T. +33 (0)4 89 97 36 50
> >             P. +33 (0)6 08 33 32 61
> >             emmanuel.lecha...@busit.com
> >             <mailto:emmanuel.lecha...@busit.com> https://www.busit.com/
> >             <https://www.busit.com/>
> >
> >
>  ---------------------------------------------------------------------
> >             To unsubscribe, e-mail:
> >             users-unsubscr...@directory.apache.org
> >             <mailto:users-unsubscr...@directory.apache.org>
> >             For additional commands, e-mail:
> >             users-h...@directory.apache.org
> >             <mailto:users-h...@directory.apache.org>
> >
> >
> >
> >         --
> >         Mariano Martinez Peck
> >         Email: marianop...@gmail.com <mailto:marianop...@gmail.com>
> >         Twitter: @MartinezPeck
> >         LinkedIn: www.linkedin.com/in/mariano-martinez-peck
> >         <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/>
> >         Blog: https://marianopeck.wordpress.com/
> >         <https://marianopeck.wordpress.com/>
> >
> >
> >
> >     --
> >     Mariano Martinez Peck
> >     Email: marianop...@gmail.com <mailto:marianop...@gmail.com>
> >     Twitter: @MartinezPeck
> >     LinkedIn: www.linkedin.com/in/mariano-martinez-peck
> >     <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/>
> >     Blog: https://marianopeck.wordpress.com/
> >     <https://marianopeck.wordpress.com/>
> >
> >
> >
> > --
> > Mariano Martinez Peck
> > Email: marianop...@gmail.com <mailto:marianop...@gmail.com>
> > Twitter: @MartinezPeck
> > LinkedIn: www.linkedin.com/in/mariano-martinez-peck
> > <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/>
> > Blog: https://marianopeck.wordpress.com/
> > <https://marianopeck.wordpress.com/>
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecha...@busit.com https://www.busit.com/
>


-- 
Mariano Martinez Peck
Email: marianop...@gmail.com
Twitter: @MartinezPeck
LinkedIn: www.linkedin.com/in/mariano-martinez-peck
<https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/>
Blog: https://marianopeck.wordpress.com/

Reply via email to