Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Active Directory, LDAPS, and Grouper (docker based config)


Chronological Thread 
  • From: "David Mak" <>
  • To:
  • Subject: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
  • Date: Mon, 11 Sep 2023 14:44:26 +0000

Greetings.

In need of some advice on configuring Grouper 4.1.6 running in a Docker
environment with an External systems configuration to connect to an Active
Directory server.

The server is configured with a self signed SSL certificate/CA cert and is
extracted via the following command:
openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null </
dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Configured in our Dockerfile with something along the lines of:

RUN openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null
</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/
AD_Server.crt
RUN keytool -importcert -trustcacerts -cacerts -noprompt -storepass changeit -
file /tmp/AD_Server.crt -alias AD_Server

Connecting to the resultant container, with a bash shell, shows that the
certificate chain was successfully added as verified with "keytool list" but
attempts to test the connection from the Grouper UI results in:

Caused by:
[org.ldaptive.OperationException@140546312::resultCode=PROTOCOL_ERROR,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed],
providerException=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed]]

And indeed, a TCPDump on the host running docker shows the connection is
closed due to a SSL handshake issue:
4 0.010043 MYHOSTIP ADHOSTIP TLSv1.2 560 Client
Hello
5 0.028978 ADHOSTIP MYHOSTIP TLSv1.2 4381
Server Hello, Certificate, Server Key Exchange, Certificate Request, Server
Hello Done
7 0.030552 MYHOSTIP ADHOSTIP TLSv1.2 73
Alert (Level: Fatal, Description: Certificate Unknown)
8 0.030686 MYHOSTIP ADHOSTIP TCP 66
60236 → 636 [FIN, ACK] Seq=502 Ack=4316 Win=64128 Len=0 TSval=3083478926
TSecr=2697297744

Questions:
1) Is it the cacerts file in the JDK that I should be installing the certs
into? I even tried manually separating the certs into two files (openssl
returns two) and using two separate Docker COPY commands to put them into
separate files, and importing them with unique aliases using two different RUN
keytool commands, but get the same tcpdump behavior.
2) Is there documentation on connecting Grouper external systems with "custom"
configurations such as self signed certs, etc?

Thanks in advance for any advice.



Archive powered by MHonArc 2.6.24.

Top of Page