LDAP: UnknownHostException

[tnbreitkreutz]

Hi,

I've been trying to get CAS 6 with LDAP working for a while now 

And in the abscence of a good/complete tutorial/walkthrough for beginners I'm quite disenchanted.

Currently I'm back to trying to build a working instance locally as deploying is way too time-consuming, as it keeps throwing errors.

Gradle build looks good. But sadly I found nothing really helpful in the docs..

What could be the solution here? Just can't reach the LDAP for whatever reason, missing cert inside the keystore or so?

Error message:

2019-07-15 14:24:39,543 DEBUG [org.ldaptive.provider.jndi.JndiConnectionFactory] - <Error connecting to LDAP URL: ldaps://adlocal.lan:636>

org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: adlocal.lan:636 [Root exception is java.net.UnknownHostException: adlocal.lan]

cas.properties:

cas.server.name=https://localhost:8888

cas.server.prefix=${cas.server.name}/cas

logging.config: file:/etc/cas/config/log4j2.xml

# logging.level.org.apereo=DEBUG

cas.authn.accept.users=

# cas.authn.accept.name=

# cas.authn.accept.credentialCriteria=

## KEYSTORE

# cas.authn.attributeRepository.ldap.keystore=file:/etc/cas/config/thekeystore

# cas.authn.attributeRepository.ldap.keystorePassword=*********

# cas.authn.attributeRepository.ldap.keystoreType=JKS|JCEKS|PKCS12

## LDAP

cas.authn.ldap[0].name=adlocal.lan

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=ldaps://adlocal.lan:636

cas.authn.ldap[0].baseDn=DC=adlocal,DC=lan

cas.authn.ldap[0].dnFormat=CN=%s,DC=adlocal,DC=lan

# cas.authn.ldap[0].bindDn=*

# cas.authn.ldap[0].bindCredential=*

# cas.authn.ldap[0].minPoolSize=1

# cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=false

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=PT5M

cas.authn.ldap[0].failFast=true

cas.authn.ldap[0].idleTime=PT10M

cas.authn.ldap[0].prunePeriod=PT2M

cas.authn.ldap[0].blockWaitTime=PT3S

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].searchFilter=sAMAccountName={user}

## INMEMORY TICKET REGISTRY (TEMPORARY)

cas.ticket.registry.inMemory.cache=true

cas.ticket.registry.inMemory.loadFactor=1

cas.ticket.registry.inMemory.concurrency=20

cas.ticket.registry.inMemory.initialCapacity=1000

[David Malia]

What the exception is really saying is that there is no known server with the name "adlocal.lan"

If "nslookup adlocal.lan" doesn't return the IP of the server, you have some networking you might need to change or change the ldap URL to a resolvable address.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/97f6dd77-5d77-4bfa-80fc-073bfbaa496b%40apereo.org.

[tnbreitkreutz]

Hi,

in development environment the error is gone. Maybe the LDAP had some issues while I was trying to connect. Whatever.

I created a new project and took some of the old config, some not.. but I'm still getting an error.

Error message is attached in file ad-error.txt (it's quite long...).

cas.authn.ldap[0].type is set to AD or AUTHENTICATED.

Certificates were imported to the cacerts key-/truststore in $JAVA_HOME/jre/lib/security while building the required docker image.

[...]
COPY extra/certs/cacert.crt $JAVA_HOME/jre/lib/security/cacert.crt
COPY extra/certs/ssl.crt $JAVA_HOME/jre/lib/security/ssl.crt

RUN $JAVA_HOME/bin/keytool -import -trustcacerts \
    -keystore $JAVA_HOME/jre/lib/security/cacerts \
    -storepass changeit -file $JAVA_HOME/jre/lib/security/cacert.crt -alias cacert -noprompt && \
    $JAVA_HOME/bin/keytool -import \
    -keystore $JAVA_HOME/jre/lib/security/cacerts \
    -storepass changeit -file $JAVA_HOME/jre/lib/security/ssl.crt -alias ssl -noprompt

[...]

cas.properties

cas.server.name=https://${dns}

cas.server.prefix=${cas.server.name}/cas

logging.config: file:/etc/cas/config/log4j2.xml

cas.authn.accept.users=

cas.authn.ldap[0].name=${ldapDomain}

cas.authn.ldap[0].type=AD

cas.authn.ldap[0].ldapUrl=${ldapUrl}

cas.authn.ldap[0].baseDn=${ldapBaseDn}

cas.authn.ldap[0].validatePeriod=PT5M

cas.authn.ldap[0].minPoolSize=3

cas.authn.ldap[0].maxPoolSize=10

cas.authn.ldap[0].validateOnCheckout=false

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].validatePeriod=PT5M

cas.authn.ldap[0].failFast=false

cas.authn.ldap[0].idleTime=PT10M

cas.authn.ldap[0].prunePeriod=PT2M

cas.authn.ldap[0].blockWaitTime=PT3S

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].searchFilter=sAMAccountName={user}

cas.authn.ldap[0].dnFormat=CN=%s,OU=Users,DC=active-directory,DC=lan

cas.ticket.registry.inMemory.cache=true

cas.ticket.registry.inMemory.loadFactor=1

cas.ticket.registry.inMemory.concurrency=20

cas.ticket.registry.inMemory.initialCapacity=1000

Is there something that I still might have overlooked?

[Warren White]

A couple of things come to light:

[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Which would indicate either the cert is not imported correctly, or Tomcat server.xml is pointing to a different keystore.

ldapUrl=ldaps://active-directory.lan:636
The above is from your ad-error.txt, which indicates a different server name than in your config: active-directory.lan:636 vs adlocal.lan:636

I set up 6.0.0 a few months ago with the following:
Tomcat server.xml connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" address="DEV_SERVER_IP"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="/etc/ssl/private/.keystore" 
        keystorePass="MY_KEYSTORE_PASS"
 />

I used a different keystore and location than default JAVA_HOME, because of similar issues as you.

Then in /etc/cas/config, I have the following files: cas.properties, application-standalone.properties, and ldap.properties.
I am using type AD
Here is the minimal LDAP config I used to get it to work for me:
# LDAP/Active Directorycas.authn.ldap[0].type=AD
cas.authn.ldap[0].ldapUrl=ldaps://...

cas.authn.ldap[0].baseDn=dc=...,dc=...,dc=...
cas.authn.ldap[0].bindDn=cn=...,ou=...,ou=...,dc=...,dc=...,dc=...
cas.authn.ldap[0].bindCredential=...

cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].dnFormat=%s@...
cas.authn.ldap[0].principalAttributePassword=password




I also have in my config the following, which I cannot remember why I have in the config, but it works for my setup on the development machine:
cas.tgc.crypto.encryption.key=SOME_KEY_STRINGcas.tgc.crypto.signing.key=SOME_BIG_KEY_STRING
cas.tgc.httpOnly=false

cas.webflow.crypto.signing.key=ANOTHER_KEY_STRING
cas.webflow.crypto.encryption.key=ANOTHER_STRING