Hi Emmanuel, Thanks for your suggestions. Luckily, I found another one, that I wanted to share just in case someone is in the same situation.
Following this guide: https://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html I created a custom certificate. Of course, even if I followed all those steps and I plugged the generated cert into ApacheDS, I would still have the same issue. However, I realized that there is a way you can tell Windows to "trust" your self signed certificate. I followed this guide: https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate. More precisely, I took the generated certificate of the previous step, and I did the steps 5 to 7, which means basically to install the certificate in what Windows calls the "Trusted Root Certification Authorities store". After that, I can successfully connect :) Thanks a lot for your help! On Thu, Sep 8, 2022 at 1:35 PM Emmanuel Lécharny <elecha...@gmail.com> wrote: > Hi, > > likely to be the reason your connection fails. > > You have 2 options: > - make it so your client does not try to validate the self-signed > certificate we provide. It should work then. There is no real reason to > check the server's certificate in such a scenario, unless it"'s going to > be a production server > - or set a signed certificate on the server > > > On 2022/09/08 17:07, Mariano Martinez Peck wrote: > > Looks like I found the issue? I checked in the Event Viewer, and I found > > the following error: > > > > "The certificate received from the remote server was issued by an > > untrusted certificate authority. Because of this, none of the data > > contained in the certificate can be validated. The TLS connection > > request has failed. The attached data contains the server certificate. > > The SSPI client process is ldaptest (PID: 4688)." > > > > See attached. > > > > So what's the path now? I must set trusted CA certified certificates to > > LDAPS to work? > > > > Thanks in advance! > > > > > > > > On Thu, Sep 8, 2022 at 11:58 AM Mariano Martinez Peck > > <marianop...@gmail.com <mailto:marianop...@gmail.com>> wrote: > > > > BTW, my dynamic language client is doing pretty much the same as > > this C example: > > > https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/example-code-for-establishing-a-session-over-ssl?redirectedfrom=MSDN > < > https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/example-code-for-establishing-a-session-over-ssl?redirectedfrom=MSDN > > > > > > I compiled and run that example, and I also get the same error: > > > > >ldaptest.exe 127.0.0.1 > > > > Connecting to host "127.0.0.1" ... > > Setting Protocol version to 3. > > Checking if SSL is enabled > > SSL not enabled. > > SSL being enabled... > > ldap_connect failed with 0x51. > > > > From what I understand, the 0x51 is the same as my > > "LDAP_SERVER_DOWN (81)" > > > > I tried changing 127.0.0.1 to localhost, 0.0.0.0 etc...they all had > > the same issue. > > > > > > thanks! > > > > > > On Thu, Sep 8, 2022 at 8:33 AM Mariano Martinez Peck > > <marianop...@gmail.com <mailto:marianop...@gmail.com>> wrote: > > > > Hi Emmanuel, > > > > Looks like my client is not specifying any concrete version. > > However, I made sure to allow all of them (at least as a test) > > on the server. See attached screenshot. > > > > Thanks! > > > > > > > > On Thu, Sep 8, 2022 at 5:11 AM Emmanuel Lécharny > > <elecha...@gmail.com <mailto:elecha...@gmail.com>> wrote: > > > > Hi, > > > > which TLS version are you using ? > > > > On 2022/09/07 23:55, Mariano Martinez Peck wrote: > > > Hi everyone, > > > > > > I am using a dynamic language that via FFI it wraps the > > wldap32 dll. I am > > > using ApacheDS and I can perfectly connect to it from my > > client using > > > normal LDAP. However, I cannot connect to it when using > > LDAPS. Yes, the > > > checkbox is checked to start LDAP (on port 10636) and > > everything seems > > > fine. In fact, from within ApacheDS I can open a > > connection to LDAPS and it > > > works. The problem is from my client. > > > > > > What I noticed is that in the logs, the following is > printed: > > > > > > [17:28:23] WARN > > [org.apache.directory.server.ldap.LdapProtocolHandler] - > > > Unexpected exception forcing session to close: sending > > disconnect notice to > > > client. > > > javax.net.ssl.SSLException: Improper close state: Status > = OK > > > HandshakeStatus = NEED_WRAP > > > bytesConsumed = 0 bytesProduced = 7 sequenceNumber = 1 > > > at > > > org.apache.mina.filter.ssl.SslHandler.closeOutbound(SslHandler.java:497) > > > at > > > org.apache.mina.filter.ssl.SslFilter.initiateClosure(SslFilter.java:762) > > > at > > > org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:693) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155) > > > at > > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155) > > > at > > > > > > > org.apache.mina.filter.executor.ExecutorFilter.filterClose(ExecutorFilter.java:608) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1155) > > > at > > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:146) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:776) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:769) > > > at > > > > > > > org.apache.mina.core.session.AbstractIoSession.closeNow(AbstractIoSession.java:353) > > > at > > > > > > > org.apache.mina.core.service.IoHandlerAdapter.inputClosed(IoHandlerAdapter.java:102) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.inputClosed(DefaultIoFilterChain.java:997) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119) > > > at > > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119) > > > at > > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119) > > > at > > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:49) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.inputClosed(DefaultIoFilterChain.java:1119) > > > at > > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.inputClosed(IoFilterAdapter.java:154) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextInputClosed(DefaultIoFilterChain.java:735) > > > at > > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireInputClosed(DefaultIoFilterChain.java:728) > > > at > > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:556) > > > at > > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) > > > at > > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222) > > > at > > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211) > > > at > > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) > > > at > > > > > > > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > > > at > > > > > > > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > > at > > > > > > > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > > at java.base/java.lang.Thread.run(Thread.java:829) > > > > > > > > > On my C client, I get the error "LDAP_SERVER_DOWN (81)" > > when calling the > > > function ldap_simple_bind_s() > > > > > > > > > Does this tell anything to anyone? > > > > > > Thanks in advance! > > > > > > > > > > -- > > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 > NICE > > T. +33 (0)4 89 97 36 50 > > P. +33 (0)6 08 33 32 61 > > emmanuel.lecha...@busit.com > > <mailto:emmanuel.lecha...@busit.com> https://www.busit.com/ > > <https://www.busit.com/> > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > users-unsubscr...@directory.apache.org > > <mailto:users-unsubscr...@directory.apache.org> > > For additional commands, e-mail: > > users-h...@directory.apache.org > > <mailto:users-h...@directory.apache.org> > > > > > > > > -- > > Mariano Martinez Peck > > Email: marianop...@gmail.com <mailto:marianop...@gmail.com> > > Twitter: @MartinezPeck > > LinkedIn: www.linkedin.com/in/mariano-martinez-peck > > <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/> > > Blog: https://marianopeck.wordpress.com/ > > <https://marianopeck.wordpress.com/> > > > > > > > > -- > > Mariano Martinez Peck > > Email: marianop...@gmail.com <mailto:marianop...@gmail.com> > > Twitter: @MartinezPeck > > LinkedIn: www.linkedin.com/in/mariano-martinez-peck > > <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/> > > Blog: https://marianopeck.wordpress.com/ > > <https://marianopeck.wordpress.com/> > > > > > > > > -- > > Mariano Martinez Peck > > Email: marianop...@gmail.com <mailto:marianop...@gmail.com> > > Twitter: @MartinezPeck > > LinkedIn: www.linkedin.com/in/mariano-martinez-peck > > <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/> > > Blog: https://marianopeck.wordpress.com/ > > <https://marianopeck.wordpress.com/> > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ > -- Mariano Martinez Peck Email: marianop...@gmail.com Twitter: @MartinezPeck LinkedIn: www.linkedin.com/in/mariano-martinez-peck <https://www.linkedin.com/in/mariano-mart%C3%ADnez-peck/> Blog: https://marianopeck.wordpress.com/
