Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)


Chronological Thread 
  • From: "Murphy, Kellen J. (wfx6yz)" <>
  • To: "" <>, David Mak <>
  • Subject: Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
  • Date: Mon, 11 Sep 2023 16:33:43 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=virginia.edu; dmarc=pass action=none header.from=virginia.edu; dkim=pass header.d=virginia.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OVjo/VRFk40QLuvOlN4w6Ph6eO8bpSNKFkujK+eFVWg=; b=QtvD9CTEwbOZ6kTvo+bjeE5JF1h3HvcvWokHpuWU649C8ikxcNjy4z2qmo+2w72ySpVkD8mi0+3gbeyP+ki6Rm7DAbzRIMnc0AbB7taHnLX3sg1tBlVWbgkbs8Jo8m3ATNXiKt8PIsJRQCoL3YRvkTapUehK0LNwEUK2nhnkKgd2JLpCcHNGqk69/lGAENChx4UrgIeYujKBTAZTT5/naPgyKahWCfRQwePOV/ezzLOhFufndENChvNldITkMf4zOZzOzfTSb1lE2qx1gpg/xSFa+1EcW6qUGAbS1gKYg/GkUZo6ULar16u5q2w++58GBg0ZzxBPdlRFFpOnbtFcWw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Yd067/J4YjgoYBD8IrMFp1DyLuCpsy09Hj/YQ8dyM0SXQc55+MivBWX1j4xy4f8WML0rz87GzdOCLtfgZkJ5PAyZo3LVqV63ug+P4Qz6WCX05Q5kuLVdEPiURNYrvY5gLxaEJ2OG28QWCFb3zoVz4l1jinY3teKpY9IDaVdsvHNd8kQdXagV2a5hUkoU+Ljuzmrvo9OxaaroLAEzYrGqnfnKmMfglFUiYgBofdlPTCgnlRE5IFxlje8MiEX9F6WnE1UuNX+Z/JrrtGRWq8Xa4+Q7v2jt6VSK+MJgrid4xbYh/sO5Y+GxenRutGxglvb8FpBa+7WMyCA7fgCxctBy5w==
  • Msip_labels:

Have a look at this: https://spaces.at.internet2.edu/display/Grouper/Grouper+v2.5+container+SSL+trust+management 

That should​ all apply to 4.1.6.

You might try dropping the cert from the openssl s_client command into /opt/grouper/certs/anchors/ and running /bin/update-ca-trust in the Dockerfile instead of your keytool command. That might get you past your issue. 

Also... check out the #grouper channel on the InCommon Slack as it's more active and you might get more eyes on the issue. To be added just send a message here: https://incommon.org/help/

Good luck!

Kellen Murphy
he/him/his
Identity Architecture & Solutions Engineer
E
T +1 (434) 243-7248
University of Virginia
Information Technology Services (ITS)
Michie South
914 Emmet Street N.
P.O. Box 400217
Charlottesville, VA 22903
its.virginia.edu

University of Virginia




From: <> on behalf of "David Mak" <>
Sent: Monday, September 11, 2023 10:44 AM
To: <>
Subject: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
 
Greetings.

In need of some advice on configuring Grouper 4.1.6 running in a Docker
environment with an External systems configuration to connect to an Active
Directory server.

The server is configured with a self signed SSL certificate/CA cert and is
extracted via the following command:
 openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null </
dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Configured in our Dockerfile with something along the lines of:

RUN openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null
</dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/
AD_Server.crt
RUN keytool -importcert -trustcacerts -cacerts -noprompt -storepass changeit -
file /tmp/AD_Server.crt -alias AD_Server

Connecting to the resultant container, with a bash shell, shows that the
certificate chain was successfully added as verified with "keytool list" but
attempts to test the connection from the Grouper UI results in:

Caused by:
[org.ldaptive.OperationException@140546312::resultCode=PROTOCOL_ERROR,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed],
providerException=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed]]

And indeed, a TCPDump on the host running docker shows the connection is
closed due to a SSL handshake issue:
4       0.010043        MYHOSTIP        ADHOSTIP        TLSv1.2 560     Client
Hello
5       0.028978        ADHOSTIP        MYHOSTIP                TLSv1.2 4381
Server Hello, Certificate, Server Key Exchange, Certificate Request, Server
Hello Done
7       0.030552        MYHOSTIP                ADHOSTIP        TLSv1.2 73
Alert (Level: Fatal, Description: Certificate Unknown)
8       0.030686        MYHOSTIP                ADHOSTIP        TCP     66
60236 → 636 [FIN, ACK] Seq=502 Ack=4316 Win=64128 Len=0 TSval=3083478926
TSecr=2697297744

Questions:
1) Is it the cacerts file in the JDK that I should be installing the certs
into? I even tried manually separating the certs into two files (openssl
returns two) and using two separate Docker COPY commands to put them into
separate files, and importing them with unique aliases using two different RUN
keytool commands, but get the same tcpdump behavior.
2) Is there documentation on connecting Grouper external systems with "custom"
configurations such as self signed certs, etc?

Thanks in advance for any advice.

PNG image




Archive powered by MHonArc 2.6.24.

Top of Page