Using secure LDAP without a certificate
86 views
Skip to first unread message
Sean Carte
Nov 12, 2020, 2:34:32 AM11/12/20
to DSpace Technical Support
I'm trying to configure DSpace-CRIS 5.10 and DSpace 6.3 to use ldaps, but get this error in the log:
2020-11-11 15:05:03,464 WARN org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=F261C03287498D5AEE67FFE7F53CBCAF:ip_addr=10.0.36.134:ldap_authentication:type=failed_auth javax.naming.CommunicationException\colon; simple bind failed\colon; <server_url>\colon;636 [Root exception is javax.net.ssl.SSLHandshakeException\colon; PKIX path building failed\colon; sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to find valid certification path to requested target]
LDAP authentication is working without SSL. All I've changed in the configuration is ldap -> ldaps in the provider_url property.
On the DSpace 6.3 server I've also tried:
authentication-ldap.starttls=true
while leaving the scheme at ldap
That results in the following error:
2020-11-12 09:06:32,112 WARN org.dspace.authenticate.LDAPAuthentication @ anonymous:session_id=0BD2A90CE7458F21149D8505D76D7E78:ip_addr=10.0.36.134:ldap_authentication:type=failed_auth javax.net.ssl.SSLHandshakeException\colon; PKIX path building failed\colon; sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to find valid certification path to requested target
I also tried using ldapsearch and found that that fails on ldaps with the error 'TLS: peer cert untrusted or revoked (0x142)' unless I add the following line to /etc/ldap/ldap.conf:
TLS_REQCERT NEVER
That setting in ldap.conf doesn't seem to have any effect on DSpace; is there a way of telling DSpace to not expect a
server certificate? Or is there a better way to get secure LDAP working?
Alan Orth
Nov 12, 2020, 4:23:15 AM11/12/20
to Sean Carte, DSpace Technical Support
Hi Sean,
I'm using LDAPS on both DSpace 5.8 and 6.3. For DSpace 5 I have the following in my sitename.properties:
ldap.provider_url = ldaps://blahblah.org:636/
For DSpace 6 I have this in my local.cfg:
authentication-ldap.provider_url = ldaps://blahblah.org:636/
I have not configured any STARTTLS parameters in DSpace or the system's ldap.conf. We are using Ubuntu 18.04.
Regards,
--
All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNZ4oB76KB57%2B4xrWybbOYqDyiytVUjvNTq%2B8%2BoWJWENg%40mail.gmail.com.
--
Sean Carte
Nov 12, 2020, 6:09:51 AM11/12/20
to Alan Orth, DSpace Technical Support
Thanks for the response, Alan.
It seems the problem for me is that our ldap (AD) server is using a PKI certificate, which appears to be self-signed. I really don't understand how that works. But from what I've read, that's what's causing the problem.
Mark H. Wood
Nov 12, 2020, 10:43:57 AM11/12/20
to DSpace Technical Support
/etc/ldap/ldap.conf is not involved in this, because the JVM has its
own LDAP implementation and does not use OpenLDAP.
Whenever you see errors pointing to something like "PKIX path
building," it means that SSL/TLS is validating a certificate but
cannot find a sequence of signer certificates that ends at a
self-signed certificate that it has been told to trust.
In Java, "told to trust" means that that certificate is in
$JRE_HOME/jre/lib/security/cacerts, or some other suitable certificate
database identified by the system property 'javax.net.ssl.trustStore'.
Here's some documentation as a starting point:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
Also this article might help:
https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find
Here are my own notes on how to install my own CA certificate in the
default trust store:
'cd' to $JRE_HOME/jre/lib/security
Make a copy of 'cacerts' for error recovery.
keytool -import \
-alias my-root \
-file /some/path/to/my-root.pem \
-keystore cacerts
On Thu, Nov 12, 2020 at 01:09:35PM +0200, Sean Carte wrote:
> Thanks for the response, Alan.
>
> It seems the problem for me is that our ldap (AD) server is using a PKI
> certificate, which appears to be self-signed. I really don't understand how
> that works. But from what I've read, that's what's causing the problem.
Yes, that certificate won't be in your JVM's trust store unless you
add it.
> >> <https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNZ4oB76KB57%2B4xrWybbOYqDyiytVUjvNTq%2B8%2BoWJWENg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >> .
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
own LDAP implementation and does not use OpenLDAP.
Whenever you see errors pointing to something like "PKIX path
building," it means that SSL/TLS is validating a certificate but
cannot find a sequence of signer certificates that ends at a
self-signed certificate that it has been told to trust.
In Java, "told to trust" means that that certificate is in
$JRE_HOME/jre/lib/security/cacerts, or some other suitable certificate
database identified by the system property 'javax.net.ssl.trustStore'.
Here's some documentation as a starting point:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
Also this article might help:
https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find
Here are my own notes on how to install my own CA certificate in the
default trust store:
'cd' to $JRE_HOME/jre/lib/security
Make a copy of 'cacerts' for error recovery.
keytool -import \
-alias my-root \
-file /some/path/to/my-root.pem \
-keystore cacerts
On Thu, Nov 12, 2020 at 01:09:35PM +0200, Sean Carte wrote:
> Thanks for the response, Alan.
>
> It seems the problem for me is that our ldap (AD) server is using a PKI
> certificate, which appears to be self-signed. I really don't understand how
> that works. But from what I've read, that's what's causing the problem.
add it.
> >> .
> >>
> >
> >
> > --
> > Alan Orth
> > alan...@gmail.com
> > https://picturingjordan.com
> > https://englishbulgaria.net
> > https://mjanja.ch
> >
>
> >
> >
> > --
> > Alan Orth
> > alan...@gmail.com
> > https://picturingjordan.com
> > https://englishbulgaria.net
> > https://mjanja.ch
> >
>
> --
> All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPBrrL1tcJWJomE7xTgLRR_W0Fbsr3WkBywVe7-xOzP-Q%40mail.gmail.com.
> All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Sean Carte
Nov 12, 2020, 10:59:34 AM11/12/20
to DSpace Technical Support
Thanks, Mark. I have requested the server's certs.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/20201112152916.GA12603%40IUPUI.Edu.
Reply all
Reply to author
Forward
0 new messages