[lsc-dev] [LDAP Synchronization Connector - Bug #27] Connection on ldaps:// URI

noreply at lsc-project.org noreply at lsc-project.org
Fri Apr 5 05:03:45 CEST 2013

Issue #27 has been updated by Joko Ari Wibowo.

Hi All,
I currently have task to syncronize ldap to other AD, i use lsc for completing the task. I have set up ldaps, import the certificate to JVM and ready to execute lsc. But I get some error while executing lsc.

1. The ldaps seems run well.
root at ldapserver:~# ldapsearch -x -LLL -H ldaps:// -D "cn=Joko Ari Wibowo,ou=People,dc=contoso,dc=com" -w P at ssw0rd -b "cn=Joko Ari Wibowo,ou=People,dc=contoso,dc=com"
dn: cn=Joko Ari Wibowo,ou=people,dc=contoso,dc=com
cn: Joko Ari Wibowo
givenName: Joko Ari
gidNumber: 500
homeDirectory: /home/users/jwibowo
sn: Wibowo
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: UEBzc3cwcmQ=
uidNumber: 1000
uid: jwibowo

2. I have added the certificate to JVM,
root at ldapserver:/etc/lsc-2.0.1# /usr/lib/jvm/jre1.7.0/bin/keytool -list -keystore ./jssecacerts
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

contoso, Apr 5, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): C3:0E:56:F0:14:56:7C:5E:CF:07:5D:71:7A:96:82:A8:E3:07:77:1C
mykey, Apr 4, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 2C:25:58:59:99:2D:50:2E:2A:05:90:EF:2A:93:0E:72:AE:58:F9:57
contoso.com, Apr 4, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): C3:0E:56:F0:14:56:7C:5E:CF:07:5D:71:7A:96:82:A8:E3:07:77:1C
root at ldapserver:/etc/lsc-2.0.1#

3. I have modified lsc.xml part url and isTlsActivated from "false" to "true":
                        <password>P at ssw0rd</password>

When I execute the command line:
root at ldapserver:/etc/lsc-2.0.1# bin/lsc -f etc all -s all -n

I get error described below:
Apr 05 09:51:36 - DEBUG - Loading XML configuration from: /etc/lsc-2.0.1/etc/lsc.xml
Apr 05 09:51:36 - INFO  - Reflections took 514 ms to scan 1 urls, producing 60 keys and 226 values
Apr 05 09:51:36 - DEBUG - Importing XML schema file: schemas/lsc-core-2.0.xsd
Apr 05 09:51:37 - INFO  - Logging configuration successfully loaded from /etc/lsc-2.0.1/etc/logback.xml
Apr 05 09:51:37 - INFO  - LSC configuration successfully loaded from /etc/lsc-2.0.1/etc/
Apr 05 09:51:38 - INFO  - Connecting to LDAP server ldaps://,dc=com as cn=admin,dc=contoso,dc=com
Apr 05 09:51:38 - ERROR - Error opening the LDAP connection to the destination! (javax.naming.CommunicationException: simple bind failed: [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target])
Apr 05 09:51:38 - ERROR - org.lsc.exception.LscConfigurationException: java.lang.reflect.InvocationTargetException

Is there a step that I missed? Please your advise.
Bug #27: Connection on ldaps:// URI

Author: Clément OUDOT
Status: Closed
Priority: Normal
Assigned to: Jonathan Clarke
Category: Core
Target version: 1.1.0
Problem in version: 


My target directory accept only secured connection, either with ldaps://, either with a startTLS control.

When using ldaps:// URI in dst.java.naming.provider.url, there is a java error :

javax.naming.CommunicationException: simple bind failed: localhost:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.interldap.lsc.jndi.JndiServices.<init>(JndiServices.java:101)
        at org.interldap.lsc.jndi.JndiServices.getInstance(JndiServices.java:141)
        at org.interldap.lsc.jndi.JndiServices.getDstInstance(JndiServices.java:127)
        at org.interldap.lsc.jndi.SimpleJndiDstService.getJndiServices(SimpleJndiDstService.java:118)
        at org.interldap.lsc.jndi.AbstractSimpleJndiService.get(AbstractSimpleJndiService.java:111)
        at org.interldap.lsc.jndi.SimpleJndiDstService.getBean(SimpleJndiDstService.java:89)
        at org.interldap.lsc.AbstractSynchronize.synchronizeLdap2Ldap(AbstractSynchronize.java:463)
        at org.interldap.lsc.SimpleSynchronize.launchSyncTask(SimpleSynchronize.java:295)
        at org.interldap.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:140)
        at org.interldap.lsc.Launcher.run(Launcher.java:103)
        at org.interldap.lsc.Launcher.main(Launcher.java:95)

Can we add a feature to support LDAPS and startTLS? Can this be added to 1.1 roadmap?

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lsc-project.org/pipermail/lsc-dev/attachments/20130405/2b2d865f/attachment.htm>

More information about the lsc-dev mailing list