grouper-users - Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: "" <>, David Mak <>, "Murphy, Kellen J. (wfx6yz)" <>
- Subject: Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
- Date: Mon, 11 Sep 2023 17:02:54 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=upenn.edu; dmarc=pass action=none header.from=upenn.edu; dkim=pass header.d=upenn.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XrqEgf7/au/B3kP6+Qt5x+aOZvYlUvTt7dDwjV+W284=; b=JgwGFEgZs8AQ5tpzwClXm0mR5rpYzpkmj6IZrPLC64OucMLrSv/p7IyzG22+haqjzAYiifFWjN8zIWt1Lhh+dmziBtX+9A4FPc1MTl8seq1H4cP4M/uyK7slHtVIU2a1bEcU8gjp8JdV735pjhmBW6c7pSzZsaGQRDAOrOqt+LwKxlyEEpc/OJCoxNN5MbS0xufcFdun2B07y/RwqM/vLlf5Qlr6yJXd27lMbejT+Y4Ko5tcjUbEmqCvXtSU+a0YkHF8TDsvf24GqsrKahwWxJuln88JQKhfOoD5b0L4TU6XXg9hQ4sdRho8chtc5nvCa4ej/GAw3QUtxTmR00gCSg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SUoe3Lv7sEnE9nB4HB5SQOUOCqkQ5uxNsAsXaWX0VUADN3aQCeSaSoT79jrKoTj2W5xF0gplXSadS8zssZ6S8G7XS/JxduPQg3870qBjVbnYRuxTiHegN46d9+Se7prDSin/0U0tH2Mb7JJTQwcLQyDxAvZ1JA5qZyf8oF0jEUVIMN323WIqtsOrcjJmRwBJiO0/14PL9jWhMKGF1fxhWxd9+irhlnG0QBRQcs8JrnMH3DKflCBxyA0l5c6/Vt6iZRXVgjjjqfDppBIhMAVEyr0Zw44QFTbKSrlEv7lFuPDBv81revvTLK6xNGKyVhA9W5D35TTUxUAITffUN2Bomg==
- Msip_labels:
I think just drop the cert in /opt/grouper/certs/client and it should work? The anchors is for intermediate
certs right? Though there was a fix so upgrading to 4.6.0 should help too
From: <> on behalf of "Murphy, Kellen J. (wfx6yz)" <>
Sent: Monday, September 11, 2023 12:33 PM
To: <>; David Mak <>
Subject: Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
Sent: Monday, September 11, 2023 12:33 PM
To: <>; David Mak <>
Subject: Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
Have a look at this: https://spaces.at.internet2.edu/display/Grouper/Grouper+v2.5+container+SSL+trust+management
That should all apply to 4.1.6.
You might try dropping the cert from the openssl s_client command into
/opt/grouper/certs/anchors/ and running /bin/update-ca-trust in the Dockerfile instead of your keytool command. That might get you past
your issue.
Also... check out the #grouper channel on the InCommon Slack as it's more active and you might get more eyes on the issue. To be added just send a message here: https://incommon.org/help/
Good luck!
Kellen Murphy
he/him/his
Identity Architecture & Solutions Engineer
E
T +1 (434) 243-7248
University of Virginia
Information Technology Services (ITS)
Michie South
914 Emmet Street N.
P.O. Box 400217
Charlottesville, VA 22903
From: <> on behalf of "David Mak" <>
Sent: Monday, September 11, 2023 10:44 AM
To: <>
Subject: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
Sent: Monday, September 11, 2023 10:44 AM
To: <>
Subject: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
Greetings.
In need of some advice on configuring Grouper 4.1.6 running in a Docker
environment with an External systems configuration to connect to an Active
Directory server.
The server is configured with a self signed SSL certificate/CA cert and is
extracted via the following command:
openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null </
dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Configured in our Dockerfile with something along the lines of:
RUN openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null
</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/
AD_Server.crt
RUN keytool -importcert -trustcacerts -cacerts -noprompt -storepass changeit -
file /tmp/AD_Server.crt -alias AD_Server
Connecting to the resultant container, with a bash shell, shows that the
certificate chain was successfully added as verified with "keytool list" but
attempts to test the connection from the Grouper UI results in:
Caused by:
[org.ldaptive.OperationException@140546312::resultCode=PROTOCOL_ERROR,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed],
providerException=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed]]
And indeed, a TCPDump on the host running docker shows the connection is
closed due to a SSL handshake issue:
4 0.010043 MYHOSTIP ADHOSTIP TLSv1.2 560 Client
Hello
5 0.028978 ADHOSTIP MYHOSTIP TLSv1.2 4381
Server Hello, Certificate, Server Key Exchange, Certificate Request, Server
Hello Done
7 0.030552 MYHOSTIP ADHOSTIP TLSv1.2 73
Alert (Level: Fatal, Description: Certificate Unknown)
8 0.030686 MYHOSTIP ADHOSTIP TCP 66
60236 → 636 [FIN, ACK] Seq=502 Ack=4316 Win=64128 Len=0 TSval=3083478926
TSecr=2697297744
Questions:
1) Is it the cacerts file in the JDK that I should be installing the certs
into? I even tried manually separating the certs into two files (openssl
returns two) and using two separate Docker COPY commands to put them into
separate files, and importing them with unique aliases using two different RUN
keytool commands, but get the same tcpdump behavior.
2) Is there documentation on connecting Grouper external systems with "custom"
configurations such as self signed certs, etc?
Thanks in advance for any advice.
In need of some advice on configuring Grouper 4.1.6 running in a Docker
environment with an External systems configuration to connect to an Active
Directory server.
The server is configured with a self signed SSL certificate/CA cert and is
extracted via the following command:
openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null </
dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Configured in our Dockerfile with something along the lines of:
RUN openssl s_client -connect AD_Server.example.com:636 -showcerts 2>/dev/null
</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/
AD_Server.crt
RUN keytool -importcert -trustcacerts -cacerts -noprompt -storepass changeit -
file /tmp/AD_Server.crt -alias AD_Server
Connecting to the resultant container, with a bash shell, shows that the
certificate chain was successfully added as verified with "keytool list" but
attempts to test the connection from the Grouper UI results in:
Caused by:
[org.ldaptive.OperationException@140546312::resultCode=PROTOCOL_ERROR,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed],
providerException=javax.naming.CommunicationException: simple bind failed:
AD_Server.example.com:636 [Root exception is java.net.SocketException:
Connection or outbound has closed]]
And indeed, a TCPDump on the host running docker shows the connection is
closed due to a SSL handshake issue:
4 0.010043 MYHOSTIP ADHOSTIP TLSv1.2 560 Client
Hello
5 0.028978 ADHOSTIP MYHOSTIP TLSv1.2 4381
Server Hello, Certificate, Server Key Exchange, Certificate Request, Server
Hello Done
7 0.030552 MYHOSTIP ADHOSTIP TLSv1.2 73
Alert (Level: Fatal, Description: Certificate Unknown)
8 0.030686 MYHOSTIP ADHOSTIP TCP 66
60236 → 636 [FIN, ACK] Seq=502 Ack=4316 Win=64128 Len=0 TSval=3083478926
TSecr=2697297744
Questions:
1) Is it the cacerts file in the JDK that I should be installing the certs
into? I even tried manually separating the certs into two files (openssl
returns two) and using two separate Docker COPY commands to put them into
separate files, and importing them with unique aliases using two different RUN
keytool commands, but get the same tcpdump behavior.
2) Is there documentation on connecting Grouper external systems with "custom"
configurations such as self signed certs, etc?
Thanks in advance for any advice.
- [grouper-users] Active Directory, LDAPS, and Grouper (docker based config), David Mak, 09/11/2023
- Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config), Murphy, Kellen J. (wfx6yz), 09/11/2023
- Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config), Hyzer, Chris, 09/11/2023
- Re: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config), Murphy, Kellen J. (wfx6yz), 09/11/2023
Archive powered by MHonArc 2.6.24.