[lsc-dev] [LDAP Synchronization Connector - Bug #27] Connection on ldaps:// URI

noreply at lsc-project.org noreply at lsc-project.org
Fri Apr 5 05:03:45 CEST 2013


Issue #27 has been updated by Joko Ari Wibowo.


Hi All,
I currently have task to syncronize ldap to other AD, i use lsc for completing the task. I have set up ldaps, import the certificate to JVM and ready to execute lsc. But I get some error while executing lsc.

1. The ldaps seems run well.
root at ldapserver:~# ldapsearch -x -LLL -H ldaps://10.10.2.253 -D "cn=Joko Ari Wibowo,ou=People,dc=contoso,dc=com" -w P at ssw0rd -b "cn=Joko Ari Wibowo,ou=People,dc=contoso,dc=com"
dn: cn=Joko Ari Wibowo,ou=people,dc=contoso,dc=com
cn: Joko Ari Wibowo
givenName: Joko Ari
gidNumber: 500
homeDirectory: /home/users/jwibowo
sn: Wibowo
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: UEBzc3cwcmQ=
uidNumber: 1000
uid: jwibowo

2. I have added the certificate to JVM,
root at ldapserver:/etc/lsc-2.0.1# /usr/lib/jvm/jre1.7.0/bin/keytool -list -keystore ./jssecacerts
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

contoso, Apr 5, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): C3:0E:56:F0:14:56:7C:5E:CF:07:5D:71:7A:96:82:A8:E3:07:77:1C
mykey, Apr 4, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 2C:25:58:59:99:2D:50:2E:2A:05:90:EF:2A:93:0E:72:AE:58:F9:57
contoso.com, Apr 4, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): C3:0E:56:F0:14:56:7C:5E:CF:07:5D:71:7A:96:82:A8:E3:07:77:1C
root at ldapserver:/etc/lsc-2.0.1#

3. I have modified lsc.xml part url and isTlsActivated from "false" to "true":
 <ldapConnection>
                        <name>ldap-src-conn</name>
                        <url>ldaps://10.10.2.253:636/dc=contoso,dc=com</url>
                        <username>cn=admin,dc=contoso,dc=com</username>
                        <password>P at ssw0rd</password>
                        <authentication>SIMPLE</authentication>
                        <referral>IGNORE</referral>
                        <derefAliases>NEVER</derefAliases>
                        <version>VERSION_3</version>
                        <pageSize>-1</pageSize>
                        <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
                        <tlsActivated>true</tlsActivated>
                </ldapConnection>

When I execute the command line:
root at ldapserver:/etc/lsc-2.0.1# bin/lsc -f etc all -s all -n

I get error described below:
Apr 05 09:51:36 - DEBUG - Loading XML configuration from: /etc/lsc-2.0.1/etc/lsc.xml
Apr 05 09:51:36 - INFO  - Reflections took 514 ms to scan 1 urls, producing 60 keys and 226 values
Apr 05 09:51:36 - DEBUG - Importing XML schema file: schemas/lsc-core-2.0.xsd
Apr 05 09:51:37 - INFO  - Logging configuration successfully loaded from /etc/lsc-2.0.1/etc/logback.xml
Apr 05 09:51:37 - INFO  - LSC configuration successfully loaded from /etc/lsc-2.0.1/etc/
.
.
.
Apr 05 09:51:38 - INFO  - Connecting to LDAP server ldaps://10.10.2.253:636/dc=contoso,dc=com as cn=admin,dc=contoso,dc=com
Apr 05 09:51:38 - ERROR - Error opening the LDAP connection to the destination! (javax.naming.CommunicationException: simple bind failed: 10.10.2.253:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target])
Apr 05 09:51:38 - ERROR - org.lsc.exception.LscConfigurationException: java.lang.reflect.InvocationTargetException

Is there a step that I missed? Please your advise.
----------------------------------------
Bug #27: Connection on ldaps:// URI
http://tools.lsc-project.org/issues/27

Author: Clément OUDOT
Status: Closed
Priority: Normal
Assigned to: Jonathan Clarke
Category: Core
Target version: 1.1.0
Problem in version: 


Hello,

My target directory accept only secured connection, either with ldaps://, either with a startTLS control.

When using ldaps:// URI in dst.java.naming.provider.url, there is a java error :

javax.naming.CommunicationException: simple bind failed: localhost:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.interldap.lsc.jndi.JndiServices.<init>(JndiServices.java:101)
        at org.interldap.lsc.jndi.JndiServices.getInstance(JndiServices.java:141)
        at org.interldap.lsc.jndi.JndiServices.getDstInstance(JndiServices.java:127)
        at org.interldap.lsc.jndi.SimpleJndiDstService.getJndiServices(SimpleJndiDstService.java:118)
        at org.interldap.lsc.jndi.AbstractSimpleJndiService.get(AbstractSimpleJndiService.java:111)
        at org.interldap.lsc.jndi.SimpleJndiDstService.getBean(SimpleJndiDstService.java:89)
        at org.interldap.lsc.AbstractSynchronize.synchronizeLdap2Ldap(AbstractSynchronize.java:463)
        at org.interldap.lsc.SimpleSynchronize.launchSyncTask(SimpleSynchronize.java:295)
        at org.interldap.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:140)
        at org.interldap.lsc.Launcher.run(Launcher.java:103)
        at org.interldap.lsc.Launcher.main(Launcher.java:95)


Can we add a feature to support LDAPS and startTLS? Can this be added to 1.1 roadmap?


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lsc-project.org/pipermail/lsc-dev/attachments/20130405/2b2d865f/attachment.htm>


More information about the lsc-dev mailing list