search

google-code-export / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 3 forks source link

Error when binding to ldaps from Active Directory #85

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Import CA certficate from your Windows CA
2. Configure LDAPS authentication.
3. Try to login

What is the expected output? What do you see instead?

User should be able to login, but an "Invalid Login" popup appears.

What version of the product are you using? On what operating system?

1.2.1, RHEL 5.8, Java 1.6

Please provide any additional information below.

After enabling debug logging, I get the following error messages:

2013-06-17 14:22:09,884 DEBUG [http-9793-Processor24]: ldap 
filter=(&(objectclass=person)(sAMAccountName=XXXXXX7))
2013-06-17 14:22:10,048 DEBUG [http-9793-Processor24]: ldap error 
authenticating: simple bind failed: xx.xx.xx.xx:636; nested exception is 
javax.naming.CommunicationException: simple bind failed: xx.xx.xx.xx:636 [Root 
exception is javax.net.ssl.SSLHandshakeException: 
java.security.cert.CertificateException: Certificate contains unsupported 
critical extensions: [2.5.29.17]]
2013-06-17 14:22:10,048 DEBUG [http-9793-Processor24]: LdapAuthenticator: login 
success for XXXXXX7? false

Original issue reported on code.google.com by jnd...@gmail.com on 17 Jun 2013 at 7:46

GoogleCodeExporter commented 9 years ago 
Are you using Tomcat?  Did you install the certificate into the Java keystore 
that Tomcat is using?  It is a little unclear exactly what you did in your 
first step above.

Original comment by joshdrum...@gmail.com on 30 Jun 2013 at 2:16

GoogleCodeExporter commented 9 years ago 
Yes, using Tomcat.

I did install the certificate (which comes from our own CA).

Same config without SSL works, with the issue that existing users configured on 
WebPasswordSafe and existing on AD are able to login without password.

Original comment by jnd...@gmail.com on 30 Jun 2013 at 5:09

GoogleCodeExporter commented 9 years ago 
Sounds like this issue: 
http://forum.springsource.org/showthread.php?42510-LDAPS-External-Certificate-co
ntains-unsupported-critical-extensions-2-5-29-17 (I don't have an active 
directory server to test with).

As for the no password issue, do you allow anonymous binds on your AD?

Original comment by joshdrum...@gmail.com on 2 Jul 2013 at 6:02

GoogleCodeExporter commented 9 years ago 
You're right. Looks like it.

As for the anonymous binds, I'm not the admin of the AD. However, we do have 
other products (web applications) that authenticate against the AD and do not 
have this problem. I'll check with them.

Thanks!

Original comment by jnd...@gmail.com on 2 Jul 2013 at 2:46