Broken LDAp authentication after update

245 views
Skip to first unread message

Olivier Nicole

unread,
Nov 18, 2015, 10:59:02 PM11/18/15
to dspac...@googlegroups.com
Hi,

I updated my server from freeBSD 9.2 to FreeBSD 10.2. At the same time I
updated Apache from 2.2 to 2.4 and upgraded tomcat from 8.0.12 to
8.0.24.

DSpace is still 4.2, I did not change anything, just moved the disk from
one server to the other (not copied, but physically moved the disk).

DSpace is working fine except LDAP authentication: the username/password
are refused. It generates no error in tomcat logs.

I even suspect it does not attempts any LDAP authentication, because
there is nothing in the logs of the LDAP server.

I suspect that I am missing a pice in tomcat, a plugin, a module,
something like that, but with no error message I am at lost. Help is
very much welcome.

TIA,

Olivier
--

helix84

unread,
Nov 19, 2015, 5:53:11 AM11/19/15
to Olivier Nicole, DSpace Technical Support
I would:

1) tail -f dspace.log, try to log into dspace using ldap and watch for
any useful log messages

2) if that doesn't help, capture network communication between your
dspace and ldap server:
dspace@dspace:~$ tshark -i eth0 -p -f "host 1.2.3.4" -w output.cap
user@local:~$ wireshark output.cap
This may help reval a) whether there's any communication at all and b)
any responses from the LDAP server that might fail to show up in the
dspace log.


Regards,
~~helix84

Compulsory reading: DSpace Mailing List Etiquette
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette

Andrea Schweer

unread,
Nov 19, 2015, 3:04:44 PM11/19/15
to hel...@centrum.sk, Olivier Nicole, DSpace Technical Support
In addition to what helix84 suggests, I'd also try making an LDAP
connection from the DSpace server via the command line (ldapsearch),
using the exact same credentials as you've set up in dspace.cfg. Just in
case this is a firewall issue. Though I guess Ivan's step 2 would tell
you that too.

cheers,
Andrea
--
Dr Andrea Schweer
IRR Technical Specialist, ITS Information Systems
The University of Waikato, Hamilton, New Zealand
+64-7-837 9120

Olivier Nicole

unread,
Nov 20, 2015, 1:47:46 AM11/20/15
to hel...@centrum.sk, dspac...@googlegroups.com
Dear Helix,

> 1) tail -f dspace.log, try to log into dspace using ldap and watch for
> any useful log messages

Thank you, that did it.

In dspace.log I had:

2015-11-20 11:16:23,558 WARN org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=D10A5DFB98065DECE80D197D0E29BCC8:ip_addr=192.41.170.57:ldap_authentication:type=failed_auth javax.naming.CommunicationException\colon; anonymous bind failed\colon; ldap.cs.ait.ac.th\colon;636 [Root exception is javax.net.ssl.SSLHandshakeException\colon; sun.security.validator.ValidatorException\colon; PKIX path building failed\colon; sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to find valid certification path to requested target]
2015-11-20 11:16:23,558 INFO org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=D10A5DFB98065DECE80D197D0E29BCC8:ip_addr=192.41.170.57:failed_login:no DN found for user turlututucvb

From the error "PKIX path building failed" I managed to google that my
self signed CA was missing in Java keystore.

I had overlooked the fact that OpenJDK was also upgraded and that the
keystore was overwritten, I had to use keytool to import my own CA again.

> 2) if that doesn't help, capture network communication between your
> dspace and ldap server:
> dspace@dspace:~$ tshark -i eth0 -p -f "host 1.2.3.4" -w output.cap
> user@local:~$ wireshark output.cap
> This may help reval a) whether there's any communication at all and b)
> any responses from the LDAP server that might fail to show up in the
> dspace log.

That, I tried, but that is not easy to follow because DSpace LDAP is
mixced up with all other LDAP connections on that same machine.

Best regards,

Olivier

Olivier Nicole

unread,
Nov 20, 2015, 1:48:50 AM11/20/15
to Andrea Schweer, hel...@centrum.sk, dspac...@googlegroups.com
Andrea,

> In addition to what helix84 suggests, I'd also try making an LDAP
> connection from the DSpace server via the command line (ldapsearch),
> using the exact same credentials as you've set up in dspace.cfg. Just in
> case this is a firewall issue. Though I guess Ivan's step 2 would tell
> you that too.

Thanks. I had try that before, I could ssh to the server (and my account
is on LDAP).

Best regards,

Olivier
Reply all
Reply to author
Forward
0 new messages