Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL and authentication questions #12

Open
jbartelt9 opened this issue Jan 16, 2014 · 5 comments
Open

SSL and authentication questions #12

jbartelt9 opened this issue Jan 16, 2014 · 5 comments

Comments

@jbartelt9
Copy link

(1) One of my colleagues just installed this, but ldaps does not seem to work at all. When I try to use ldaps I get this error:
[16:23:35] ERROR [org.apache.directory.shared.asn1.ber.grammar.AbstractGrammar] - ERR_00001 Bad transition from state START_STATE, tag 0x80
[16:23:35] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
org.apache.mina.filter.codec.ProtocolDecoderException: org.apache.directory.shared.ldap.message.ResponseCarryingMessageException: ERR_00002 Bad transition !

(2) Out primary purpose of setting this up was to use it as an authentication source, not authorization. However the wiki also says: "Authentication can only be achieved through a BIND operation." What does that mean? That it isn't really usable for authentication?

Thanks for any help.
@dwimberger
Copy link
Owner

@ 1) Could you share your configuration details (without your secrets)? The error sounds like SSL was not enabled, or like the LDAPS connection talks to a non SSL listener.

@ 2) It means, that you cannot retrieve the secrets (usually stored as hashes) through the server to compare them yourself against a hash you produce yourself from the password.

Yes you can authenticate, the BIND is the standard operation. However, some products work differently (retrieving the hashes as described before) and these are not supported. Therefore I made the note in the Wiki :)

@jbartelt9
Copy link
Author

On Wed, 15 Jan 2014, dwimberger wrote:

@1) Could you share your configuration details (without your secrets)? The error sounds like SSL was not enabled, or like the LDAPS connection talks to a non SSL listener.

Here is our 'crowd-ldap-server.properties'. Let me know if there is
anything else that would be of use.

Crowd LDAP Server Configuration

listener.port=636

#LDAPS
#ssl.enabled=false

ssl.enabled=true
ssl.keystore=/u1/cert/keystore/crowd-new.keystore
ssl.certificate.password=ZZZZZZZZ
#ssl.keystore=/u1/cert/keystore/crowd-ldap-server.keystore
#ssl.certificate.password=changeit

@2) It means, that you cannot retrieve the secrets (usually stored as hashes) through the server to compare them yourself against a hash you produce yourself from the password.

Yes you can authenticate, the BIND is the standard operation. However, some products work differently (retrieving the hashes as described before) and these are not supported. Therefore I made the note in the Wiki :)

Thanks, I'll have to see if that will work with the app I am trying to
deploy.

John

@jbartelt9
Copy link
Author

Here is another error message I get on the client side:

additional info: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

@dwimberger
Copy link
Owner

John:

Your error messages somehow indicate that there is no SSL response from the server. So either the client is connecting to the wrong server or the server startup is going wrong and only a normal listener is started on the port.

Two things that come to mind:

  1. Have you checked if https://github.com/dwimberger/crowd-ldap-server/blob/master/testAuthSSL.sh works for you? (You will need to adjust the port).
  2. If 1) doesn't work: Could you post startup log entries for your SSL enabled configuration?

Regards,
Dieter

@jbartelt9
Copy link
Author

On Tue, 28 Jan 2014, dwimberger wrote:

John:

Your error messages somehow indicate that there is no SSL response from the server. So either the client is connecting to the wrong server or the server startup is going wrong and only a normal listener is started on the port.

Two things that come to mind:

  1. Have you checked if https://github.com/dwimberger/crowd-ldap-server/blob/master/testAuthSSL.sh works for you? (You will need to adjust the port).

Yes, we tried that first thing. That is one of the ways we knew SSL
was not working.

  1. If 1) doesn't work: Could you post startup log entries for your SSL enabled configuration?

Here:

[11:03:26] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Configuration
directory:
/u1/product/atlassian/apps/crowd-ldap-server/crowd-ldap-server-1.0.1/etc
[11:03:26] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Starting up
CrowdLDAP Server
[11:03:26] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Working
directory:
/u1/product/atlassian/apps/crowd-ldap-server/crowd-ldap-server-1.0.1/work
[11:03:26] DEBUG [net.wimpi.crowd.ldap.CrowdLDAPServer] - Loading
configuration.
[11:03:28] DEBUG [net.wimpi.crowd.ldap.CrowdLDAPServer] -
org.apache.directory.server.core.authn.AuthenticationInterceptor@62816281
[11:03:28] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - ==>
CrowdPartition::init
[11:03:28] INFO [net.wimpi.crowd.ldap.CrowdPartition] - Initializing
CrowdPartition with m_Suffix dc=crowd
[11:03:28] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - <==
CrowdPartition::init
[11:03:29] ERROR
[org.apache.directory.shared.ldap.entry.DefaultServerAttribute] -
ERR_04450 The value {0} is incorrect, it hasnt been added
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
search((dn=0.9.2342.19200300.100.1.25=crowd,
filter=(objectClass=referral), scope=sub)
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
search((dn=0.9.2342.19200300.100.1.25=crowd,
filter=(objectClass=accessControlSubentry), scope=sub)
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
search((dn=0.9.2342.19200300.100.1.25=crowd,
filter=(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)),
scope=sub)
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
search((dn=0.9.2342.19200300.100.1.25=crowd,
filter=(objectClass=subentry), scope=sub)
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
search((dn=0.9.2342.19200300.100.1.25=crowd,
filter=(objectClass=triggerExecutionSubentry), scope=sub)
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] -
findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd
[11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd
[11:03:29] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Starting
directory listener...

thanks, John

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dwimberger @jbartelt9