Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP over SSL error - CertificateException

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP over SSL error - CertificateException


Chronological Thread 
  • From: Al Lilianstrom <>
  • To: " Mailing List" <>
  • Subject: Re: [grouper-users] LDAP over SSL error - CertificateException
  • Date: Mon, 15 Feb 2021 19:18:01 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fnal.gov; dmarc=pass action=none header.from=fnal.gov; dkim=pass header.d=fnal.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=meruBPgC79VuZQ3Finmp2QD+ikyyaHdST8JIeiAvh1w=; b=B/mB1aRtRsZhW/zYAVmXViX6Ur+mslWAq9Z/VFlyYzbUJ8DEIvgMAmzgRyZ6RAdbP7RmsXnO2aeB7buLAf7sj5IawyHHIj5nV0Cuo/C+MMsS68BrH/Ikc2Pyoy/9laibGe4qV8F0AFFKB5KTscb60aJXixpGPTnL7F6fm6c3iBDf35S7jWc6iLCV9Bnc7Fuzxz7SGv9f1mZsyCSBQlWT1aUZpn6TqtzXNFvuKjFy3mfMkuK9dULjKaxop45dPF3Y1kipx6wqOXjz97jyN/Y9tOVuUlyiOAUF5QVhuzNFOe2Dx/nvMLwBnOVTTMgMCgsMJe7rxaXtdRG6F4c/cIuvOg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eVJq6VOzCY5wFYmbtOiANFLHgOBVkdY/ifk22A7HIeMCAOqbv2f/1MJINvzlvdxOAsoMvMjI/L3FJANLGXNTaXzq5VwKnmD5D6hoecyQfcEFWBfi80h156C5tQADwz/hvu4l0dyiCPyqVyp748ZU6+cEcHtIN2StJIA/NUKu43MBwL/3bi2YU1HfJJZSMMDxjAdm3zPgy9aDkYAi9+Y+vl2mf2Q8sDRGObqz3CHmkJo+nfqDbcaKOx3srEQygGQ6ioHEz1gGN2ZkiD6GEI48dFse4a35WTgq0JZU3eCcUIadsrWr1pYC9t4pU4vwiz4N8dnejXNwacRIzZdSoZE3pQ==

Hi Chris,

Thanks for the response. I'll ask to join slack channel.

Adding follow didn't change anything but I decided to look at the certs again
(based on your last comment) as this particular domain is using certs from
our internal CA rather than a commercial CA. Turns out that the certificate
issued for to enable smartcard usage also had also had client and server
authentication enabled on it and no SANs. Once I fixed the template and
reissued the cert it worked as expected.

Thanks again for the assist.

al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov



________________________________________
From: Hyzer, Chris <>
Sent: Monday, February 15, 2021 8:58 AM
To: Mailing List; Al Lilianstrom
Subject: Re: LDAP over SSL error - CertificateException

Are you slack to discuss this? 🙂

(ask to join incommon-grouper slack):
https://incommon.org/help/<https://urldefense.proofpoint.com/v2/url?u=https-3A__incommon.org_help_&d=DwMGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rQ3TM3NpD_w5d1AUdjZVQrwQeaiqXxT1OGcEz5JhD1U&s=wj3w1Rav8a8hvkC7FwKK-kngPjTm4IAz_wOWSigr9h0&e=>


can you try in grouper-loader.properties (or database config):

ldap.fsLdap.referral = follow

or maybe we need to add all the certs into java as trusted... hmmm
________________________________
From:
<> on behalf of Al Lilianstrom
<>
Sent: Monday, February 15, 2021 9:21 AM
To: Mailing List <>
Subject: [grouper-users] LDAP over SSL error - CertificateException

New to grouper. Running 2.5.41 in one container. Postgres and Shibboleth in
separate containers. ADLDS over plain LDAP for the subject database.

All good.

Adding a AD domain over SSL to grouper. Trying to use the domain name for the
connection as we do with other apps.

From grouper-loader.properties

ldap.fsLdap.configFileFromClasspath = ldap.fsLdap.properties
ldap.fsLdap.user = CN=dirm,OU=FSA,DC=fs,DC=fnal,DC=gov
ldap.fsLdap.pass = NotIt

ldap.fsLdap.properties

org.ldaptive.ldapUrl=ldaps://fs.fnal.gov/
org.ldaptive.useStartTLS=false
org.ldaptive.useSSL=true
org.ldaptive.credentialConfig=org.ldaptive.ssl.KeyStoreCredentialConfig{{trustStore=file:/opt/grouper/grouperWebapp/WEB-INF/classes/fs.ks}{trustStorePassword=NotIt}}

Getting the following error in the web interface when testing the connection
(under Miscellaneous | External systems)

CertificateException: Hostname '[fs.fnal.gov]' does not match the hostname in
the server's certificate ''

The domain name is in the certificate as a Subject Alternative Name

DNS Name=DC1.fs.fnal.gov
DNS Name=fs.fnal.gov
DNS Name=FS

If I disable SSL the test is successful. Or if I switch to a single DC.

org.ldaptive.ldapUrl=ldaps://dc1.fs.fnal.gov/
org.ldaptive.useStartTLS=false
org.ldaptive.useSSL=true
org.ldaptive.credentialConfig=org.ldaptive.ssl.KeyStoreCredentialConfig{{trustStore=file:/opt/grouper/grouperWebapp/WEB-INF/classes/fs.ks}{trustStorePassword=NotIt}}

Any thoughts on getting this to work?


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov<http://www.fnal.gov>





Archive powered by MHonArc 2.6.24.

Top of Page