Broken LDAp authentication after update
245 views
Skip to first unread message
Olivier Nicole
Nov 18, 2015, 10:59:02 PM11/18/15
to dspac...@googlegroups.com
Hi,
I updated my server from freeBSD 9.2 to FreeBSD 10.2. At the same time I
updated Apache from 2.2 to 2.4 and upgraded tomcat from 8.0.12 to
8.0.24.
DSpace is still 4.2, I did not change anything, just moved the disk from
one server to the other (not copied, but physically moved the disk).
DSpace is working fine except LDAP authentication: the username/password
are refused. It generates no error in tomcat logs.
I even suspect it does not attempts any LDAP authentication, because
there is nothing in the logs of the LDAP server.
I suspect that I am missing a pice in tomcat, a plugin, a module,
something like that, but with no error message I am at lost. Help is
very much welcome.
TIA,
Olivier
--
I updated my server from freeBSD 9.2 to FreeBSD 10.2. At the same time I
updated Apache from 2.2 to 2.4 and upgraded tomcat from 8.0.12 to
8.0.24.
DSpace is still 4.2, I did not change anything, just moved the disk from
one server to the other (not copied, but physically moved the disk).
DSpace is working fine except LDAP authentication: the username/password
are refused. It generates no error in tomcat logs.
I even suspect it does not attempts any LDAP authentication, because
there is nothing in the logs of the LDAP server.
I suspect that I am missing a pice in tomcat, a plugin, a module,
something like that, but with no error message I am at lost. Help is
very much welcome.
TIA,
Olivier
--
helix84
Nov 19, 2015, 5:53:11 AM11/19/15
to Olivier Nicole, DSpace Technical Support
I would:
1) tail -f dspace.log, try to log into dspace using ldap and watch for
any useful log messages
2) if that doesn't help, capture network communication between your
dspace and ldap server:
dspace@dspace:~$ tshark -i eth0 -p -f "host 1.2.3.4" -w output.cap
user@local:~$ wireshark output.cap
This may help reval a) whether there's any communication at all and b)
any responses from the LDAP server that might fail to show up in the
dspace log.
Regards,
~~helix84
Compulsory reading: DSpace Mailing List Etiquette
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
1) tail -f dspace.log, try to log into dspace using ldap and watch for
any useful log messages
2) if that doesn't help, capture network communication between your
dspace and ldap server:
dspace@dspace:~$ tshark -i eth0 -p -f "host 1.2.3.4" -w output.cap
user@local:~$ wireshark output.cap
This may help reval a) whether there's any communication at all and b)
any responses from the LDAP server that might fail to show up in the
dspace log.
Regards,
~~helix84
Compulsory reading: DSpace Mailing List Etiquette
https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Andrea Schweer
Nov 19, 2015, 3:04:44 PM11/19/15
to hel...@centrum.sk, Olivier Nicole, DSpace Technical Support
In addition to what helix84 suggests, I'd also try making an LDAP
connection from the DSpace server via the command line (ldapsearch),
using the exact same credentials as you've set up in dspace.cfg. Just in
case this is a firewall issue. Though I guess Ivan's step 2 would tell
you that too.
cheers,
Andrea
--
Dr Andrea Schweer
IRR Technical Specialist, ITS Information Systems
The University of Waikato, Hamilton, New Zealand
+64-7-837 9120
connection from the DSpace server via the command line (ldapsearch),
using the exact same credentials as you've set up in dspace.cfg. Just in
case this is a firewall issue. Though I guess Ivan's step 2 would tell
you that too.
cheers,
Andrea
Dr Andrea Schweer
IRR Technical Specialist, ITS Information Systems
The University of Waikato, Hamilton, New Zealand
+64-7-837 9120
Olivier Nicole
Nov 20, 2015, 1:47:46 AM11/20/15
to hel...@centrum.sk, dspac...@googlegroups.com
Dear Helix,
> 1) tail -f dspace.log, try to log into dspace using ldap and watch for
> any useful log messages
Thank you, that did it.
In dspace.log I had:
2015-11-20 11:16:23,558 WARN org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=D10A5DFB98065DECE80D197D0E29BCC8:ip_addr=192.41.170.57:ldap_authentication:type=failed_auth javax.naming.CommunicationException\colon; anonymous bind failed\colon; ldap.cs.ait.ac.th\colon;636 [Root exception is javax.net.ssl.SSLHandshakeException\colon; sun.security.validator.ValidatorException\colon; PKIX path building failed\colon; sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to find valid certification path to requested target]
2015-11-20 11:16:23,558 INFO org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=D10A5DFB98065DECE80D197D0E29BCC8:ip_addr=192.41.170.57:failed_login:no DN found for user turlututucvb
From the error "PKIX path building failed" I managed to google that my
self signed CA was missing in Java keystore.
I had overlooked the fact that OpenJDK was also upgraded and that the
keystore was overwritten, I had to use keytool to import my own CA again.
> 2) if that doesn't help, capture network communication between your
> dspace and ldap server:
> dspace@dspace:~$ tshark -i eth0 -p -f "host 1.2.3.4" -w output.cap
> user@local:~$ wireshark output.cap
> This may help reval a) whether there's any communication at all and b)
> any responses from the LDAP server that might fail to show up in the
> dspace log.
That, I tried, but that is not easy to follow because DSpace LDAP is
mixced up with all other LDAP connections on that same machine.
Best regards,
Olivier
> 1) tail -f dspace.log, try to log into dspace using ldap and watch for
> any useful log messages
In dspace.log I had:
2015-11-20 11:16:23,558 WARN org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=D10A5DFB98065DECE80D197D0E29BCC8:ip_addr=192.41.170.57:ldap_authentication:type=failed_auth javax.naming.CommunicationException\colon; anonymous bind failed\colon; ldap.cs.ait.ac.th\colon;636 [Root exception is javax.net.ssl.SSLHandshakeException\colon; sun.security.validator.ValidatorException\colon; PKIX path building failed\colon; sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to find valid certification path to requested target]
2015-11-20 11:16:23,558 INFO org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=D10A5DFB98065DECE80D197D0E29BCC8:ip_addr=192.41.170.57:failed_login:no DN found for user turlututucvb
From the error "PKIX path building failed" I managed to google that my
self signed CA was missing in Java keystore.
I had overlooked the fact that OpenJDK was also upgraded and that the
keystore was overwritten, I had to use keytool to import my own CA again.
> 2) if that doesn't help, capture network communication between your
> dspace and ldap server:
> dspace@dspace:~$ tshark -i eth0 -p -f "host 1.2.3.4" -w output.cap
> user@local:~$ wireshark output.cap
> This may help reval a) whether there's any communication at all and b)
> any responses from the LDAP server that might fail to show up in the
> dspace log.
mixced up with all other LDAP connections on that same machine.
Best regards,
Olivier
Olivier Nicole
Nov 20, 2015, 1:48:50 AM11/20/15
to Andrea Schweer, hel...@centrum.sk, dspac...@googlegroups.com
Andrea,
> In addition to what helix84 suggests, I'd also try making an LDAP
> connection from the DSpace server via the command line (ldapsearch),
> using the exact same credentials as you've set up in dspace.cfg. Just in
> case this is a firewall issue. Though I guess Ivan's step 2 would tell
> you that too.
Thanks. I had try that before, I could ssh to the server (and my account
is on LDAP).
Best regards,
Olivier
> In addition to what helix84 suggests, I'd also try making an LDAP
> connection from the DSpace server via the command line (ldapsearch),
> using the exact same credentials as you've set up in dspace.cfg. Just in
> case this is a firewall issue. Though I guess Ivan's step 2 would tell
> you that too.
is on LDAP).
Best regards,
Olivier
Reply all
Reply to author
Forward
0 new messages