LDAP TLS : LDAP connection failed.

BlueMind - FR Discussions
1

Bonjour,

j’essaie de passer ma connexion LDAP en TLS vers mon serveur LDAP qui sur ma machine de test est en local.

J’ai donc mis :
Nom ou IP du serveur LDAP : tls:localhost

et j’ai le message d’erreur : LDAP connection failed.

Côté LDAP :

Jan 29 14:41:28 mail slapd[16227]: conn=1005 fd=20 ACCEPT from IP=127.0.0.1:51213 (IP=0.0.0.0:389)
Jan 29 14:41:28 mail slapd[16227]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 29 14:41:28 mail slapd[16227]: conn=1005 op=0 STARTTLS
Jan 29 14:41:28 mail slapd[16227]: conn=1005 op=0 RESULT oid= err=0 text=
Jan 29 14:41:28 mail slapd[16227]: conn=1005 fd=20 closed (TLS negotiation failure)

Côté BM :

2014-01-29 13:42:11,560 n.b.c.UserManagement INFO - Accepting token as password for admin0@global.virt in bm-hps-ping
2014-01-29 13:42:11,561 n.b.c.s.SyncServlet INFO - handler responded to login/validate in 1ms.
2014-01-29 13:42:11,568 n.b.c.h.u.UiBindingImpl INFO - run custom ldap.import.testConnection, ctx.size: 13
2014-01-29 13:42:11,568 n.b.s.l.i.u.TestLDAPConnectionCommand INFO - running connection test to tls:localhost with login: 'cn=ldapreader,ou=Virtual,ou=People,dc=makina-corpus,dc=fr', user filter: '(&(objectClass=inetOrgPerson)(!(ou:dn:=Externes))(!(ou:dn:=ldapreader))(!(ou:dn:=ldapwriter))(!(ou:dn:=replicator))(!(uid=robertwiki))(!(uid=subversion_access))(!(uid=fd-admin))(!(cn=NextFreeUnixId))(!(cn=CDI_*))(!(uid=sugarcrm))(!(uid=listuser))(!(uid=campagne)))', group filter: '(objectClass=posixGroup)', external ID: 'entryUUID'
2014-01-29 13:42:11,772 o.a.d.l.c.a.LdapNetworkConnection ERROR - Message failed : something wrong has occurred
2014-01-29 13:42:11,773 n.b.s.l.i.s.t.LdapHelper ERROR - Fail to connect to LDAP server: tls:localhost
org.apache.directory.ldap.client.api.exception.InvalidConnectionException: Error while sending some message : the session has been closed
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3812) ~[shared-all-1.0.0-M12.jar:1.0.0-M12]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1170) ~[shared-all-1.0.0-M12.jar:1.0.0-M12]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1075) ~[shared-all-1.0.0-M12.jar:1.0.0-M12]
	at net.bluemind.lib.ldap.LdapConProxy.bind(LdapConProxy.java:179) ~[net.bluemind.lib.ldap_1.0.0.b11202.jar:na]
	at net.bluemind.system.ldap.importation.scanner.tools.LdapHelper.connectLdap(LdapHelper.java:181) [net.bluemind.system.ldap.importation.scanner_1.0.0.b11202.jar:na]
	at net.bluemind.system.ldap.importation.scanner.tools.LdapHelper.checkLDAPParameters(LdapHelper.java:83) [net.bluemind.system.ldap.importation.scanner_1.0.0.b11202.jar:na]
	at net.bluemind.system.ldap.importation.ui.TestLDAPConnectionCommand.run(TestLDAPConnectionCommand.java:68) [net.bluemind.system.ldap.importation_1.0.0.b11202.jar:na]
	at net.bluemind.core.handler.ui.UiBindingImpl.runCustom(UiBindingImpl.java:80) [net.bluemind.core.handler.ui_1.0.0.b11202.jar:na]
	at net.bluemind.core.handler.ui.UiHandler$4.execute(UiHandler.java:115) [net.bluemind.core.handler.ui_1.0.0.b11202.jar:na]
	at net.bluemind.core.server.SecureMethod.execute(SecureMethod.java:56) [net.bluemind.core_1.0.0.b11202.jar:na]
	at net.bluemind.core.server.AbstractSyncHandler.handle(AbstractSyncHandler.java:94) [net.bluemind.core_1.0.0.b11202.jar:na]
	at net.bluemind.core.server.SyncServlet.handleQuery(SyncServlet.java:140) [net.bluemind.core_1.0.0.b11202.jar:na]
	at net.bluemind.core.server.SyncServlet.service(SyncServlet.java:98) [net.bluemind.core_1.0.0.b11202.jar:na]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) [javax.servlet_2.5.0.v201103041518.jar:na]
	at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180) [org.eclipse.equinox.http.registry_1.1.100.v20110502.jar:na]
	at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) [org.eclipse.equinox.http.servlet_1.1.200.v20110502.jar:na]
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:126) [org.eclipse.equinox.http.servlet_1.1.200.v20110502.jar:na]
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68) [org.eclipse.equinox.http.servlet_1.1.200.v20110502.jar:na]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) [javax.servlet_2.5.0.v201103041518.jar:na]
	at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:317) [org.eclipse.equinox.http.jetty_2.0.100.v20110502.jar:na]
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:390) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.Server.handle(Server.java:326) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) [org.mortbay.jetty.util_6.1.23.v201012071420.jar:na]
2014-01-29 13:42:11,774 n.b.c.s.SyncServlet ERROR - sending ServerFault: LDAP connection failed.
net.bluemind.core.api.fault.ServerFault: LDAP connection failed.
	at net.bluemind.system.ldap.importation.scanner.tools.LdapHelper.checkLDAPParameters(LdapHelper.java:88) ~[na:na]
	at net.bluemind.system.ldap.importation.ui.TestLDAPConnectionCommand.run(TestLDAPConnectionCommand.java:68) ~[na:na]
	at net.bluemind.core.handler.ui.UiBindingImpl.runCustom(UiBindingImpl.java:80) ~[na:na]
	at net.bluemind.core.handler.ui.UiHandler$4.execute(UiHandler.java:115) ~[na:na]
	at net.bluemind.core.server.SecureMethod.execute(SecureMethod.java:56) ~[na:na]
	at net.bluemind.core.server.AbstractSyncHandler.handle(AbstractSyncHandler.java:94) ~[na:na]
	at net.bluemind.core.server.SyncServlet.handleQuery(SyncServlet.java:140) ~[na:na]
	at net.bluemind.core.server.SyncServlet.service(SyncServlet.java:98) ~[na:na]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) [javax.servlet_2.5.0.v201103041518.jar:na]
	at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180) [org.eclipse.equinox.http.registry_1.1.100.v20110502.jar:na]
	at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) [org.eclipse.equinox.http.servlet_1.1.200.v20110502.jar:na]
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:126) [org.eclipse.equinox.http.servlet_1.1.200.v20110502.jar:na]
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68) [org.eclipse.equinox.http.servlet_1.1.200.v20110502.jar:na]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) [javax.servlet_2.5.0.v201103041518.jar:na]
	at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:317) [org.eclipse.equinox.http.jetty_2.0.100.v20110502.jar:na]
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:390) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.Server.handle(Server.java:326) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409) [org.mortbay.jetty.server_6.1.23.v201012071420.jar:na]
	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) [org.mortbay.jetty.util_6.1.23.v201012071420.jar:na]

Si je passe en clair ça passe.

Faudrait pas que je mette la clé publique de ma CA quelquepart dans BM ?

Info complémentaires, si je fais un ldapsearch en StartTLS en local ça marche et j’ai un replcia externe qui viens prendre les données en StartTLS qui fonctionne aussi.

Version BM : 3.0 BETA
Distribution : Debian Wheezy

Slts

2

C’est un certificat auto-signé sur votre annuaire LDAP ?
Quelle est la commande ldapsearch (paramètres) que vous utilisez ?

Est-ce que si vous rajoutez la directive TLS_REQCERT never dans le fichier /etc/ldap/ldap.conf du serveur BlueMind, puis re-démarrez le service bm-core ça fonctionne ?

3

Désolé j’était pas revenu sur le sujet

une commande ldapsearch qui marche :

ldapsearch -v -ZZ -H ldap://127.0.0.1 -D "uid=gch,ou=People,dc=makina-corpus,dc=fr" -W -b "uid=gch,ou=People,dc=makina-corpus,dc=fr"

dans le ldap.conf du serveur :

URI ldap:/// ldaps:///
TLS_CACERT      /etc/ssl/entreprise/cacert.pem
TLS_REQCERT never
4

Hello,

Perso voila comment s’articule mon ldap + starttls

BASE dc=domain,dc=com
URI ldap://127.0.0.1:389/
TLS_CACERT /etc/ssl/certs/certif.crt
TLS_REQCERT demand

Il faut bien différent le SSL du StartTLS