search

dwimberger / crowd-ldap-server

Implementation of an LDAP server that delegates authentication to an Atlassian Crowd installation using the Crowd REST API.
Apache License 2.0
71 stars 59 forks source link

SSL and authentication questions #12

Open jbartelt9 opened 10 years ago

jbartelt9 commented 10 years ago

(1) One of my colleagues just installed this, but ldaps does not seem to work at all. When I try to use ldaps I get this error: [16:23:35] ERROR [org.apache.directory.shared.asn1.ber.grammar.AbstractGrammar] - ERR_00001 Bad transition from state START_STATE, tag 0x80 [16:23:35] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client. org.apache.mina.filter.codec.ProtocolDecoderException: org.apache.directory.shared.ldap.message.ResponseCarryingMessageException: ERR_00002 Bad transition !

(2) Out primary purpose of setting this up was to use it as an authentication source, not authorization. However the wiki also says: "Authentication can only be achieved through a BIND operation." What does that mean? That it isn't really usable for authentication?

Thanks for any help.

dwimberger commented 10 years ago

@ 1) Could you share your configuration details (without your secrets)? The error sounds like SSL was not enabled, or like the LDAPS connection talks to a non SSL listener.

@ 2) It means, that you cannot retrieve the secrets (usually stored as hashes) through the server to compare them yourself against a hash you produce yourself from the password.

Yes you can authenticate, the BIND is the standard operation. However, some products work differently (retrieving the hashes as described before) and these are not supported. Therefore I made the note in the Wiki :)

jbartelt9 commented 10 years ago

On Wed, 15 Jan 2014, dwimberger wrote:

@1) Could you share your configuration details (without your secrets)? The error sounds like SSL was not enabled, or like the LDAPS connection talks to a non SSL listener.

Here is our 'crowd-ldap-server.properties'. Let me know if there is anything else that would be of use.

Crowd LDAP Server Configuration

listener.port=636

LDAPS

ssl.enabled=false

ssl.enabled=true ssl.keystore=/u1/cert/keystore/crowd-new.keystore ssl.certificate.password=ZZZZZZZZ

ssl.keystore=/u1/cert/keystore/crowd-ldap-server.keystore

ssl.certificate.password=changeit

@2) It means, that you cannot retrieve the secrets (usually stored as hashes) through the server to compare them yourself against a hash you produce yourself from the password.

Yes you can authenticate, the BIND is the standard operation. However, some products work differently (retrieving the hashes as described before) and these are not supported. Therefore I made the note in the Wiki :)

Thanks, I'll have to see if that will work with the app I am trying to deploy.

John

jbartelt9 commented 10 years ago

Here is another error message I get on the client side:

additional info: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

dwimberger commented 10 years ago

John:

Your error messages somehow indicate that there is no SSL response from the server. So either the client is connecting to the wrong server or the server startup is going wrong and only a normal listener is started on the port.

Two things that come to mind: 1) Have you checked if https://github.com/dwimberger/crowd-ldap-server/blob/master/testAuthSSL.sh works for you? (You will need to adjust the port). 2) If 1) doesn't work: Could you post startup log entries for your SSL enabled configuration?

Regards, Dieter

jbartelt9 commented 10 years ago

On Tue, 28 Jan 2014, dwimberger wrote:

John:

Your error messages somehow indicate that there is no SSL response from the server. So either the client is connecting to the wrong server or the server startup is going wrong and only a normal listener is started on the port.

Two things that come to mind: 1) Have you checked if https://github.com/dwimberger/crowd-ldap-server/blob/master/testAuthSSL.sh works for you? (You will need to adjust the port).

Yes, we tried that first thing. That is one of the ways we knew SSL was not working.

2) If 1) doesn't work: Could you post startup log entries for your SSL enabled configuration?

Here:

[11:03:26] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Configuration directory: /u1/product/atlassian/apps/crowd-ldap-server/crowd-ldap-server-1.0.1/etc [11:03:26] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Starting up CrowdLDAP Server [11:03:26] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Working directory: /u1/product/atlassian/apps/crowd-ldap-server/crowd-ldap-server-1.0.1/work [11:03:26] DEBUG [net.wimpi.crowd.ldap.CrowdLDAPServer] - Loading configuration. [11:03:28] DEBUG [net.wimpi.crowd.ldap.CrowdLDAPServer] - org.apache.directory.server.core.authn.AuthenticationInterceptor@62816281 [11:03:28] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - ==> CrowdPartition::init [11:03:28] INFO [net.wimpi.crowd.ldap.CrowdPartition] - Initializing CrowdPartition with m_Suffix dc=crowd [11:03:28] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - <== CrowdPartition::init [11:03:29] ERROR [org.apache.directory.shared.ldap.entry.DefaultServerAttribute] - ERR_04450 The value {0} is incorrect, it hasnt been added [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - search((dn=0.9.2342.19200300.100.1.25=crowd, filter=(objectClass=referral), scope=sub) [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - search((dn=0.9.2342.19200300.100.1.25=crowd, filter=(objectClass=accessControlSubentry), scope=sub) [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - search((dn=0.9.2342.19200300.100.1.25=crowd, filter=(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)), scope=sub) [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - search((dn=0.9.2342.19200300.100.1.25=crowd, filter=(objectClass=subentry), scope=sub) [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - search((dn=0.9.2342.19200300.100.1.25=crowd, filter=(objectClass=triggerExecutionSubentry), scope=sub) [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - findSubTree()::dn=0.9.2342.19200300.100.1.25=crowd [11:03:29] DEBUG [net.wimpi.crowd.ldap.CrowdPartition] - Name=crowd [11:03:29] INFO [net.wimpi.crowd.ldap.CrowdLDAPServer] - Starting directory listener...

thanks, John