ldap port 10389 - 389. is there some difference for ETT?
358 views
Skip to first unread message
Jose Maria Olmo Millan
Jul 5, 2016, 5:43:56 PM7/5/16
to Edge Test Tool (ETT)
Hello
we were using 10389 as LDAP port with our HISP server and all were working with ETT tool?
Now we have change our LDAP port and our ldap SRV entry in our DNS.
When we use sitenv certificate discovery tool all is wrking right with 389,
Success: trueProcessing Message(s): NoneProcessed Step(s):Query DNS for SRV record(s).:Success: trueBinding Type: DOMAINLocation Type: DNSMessage(s):
- INFO: DNS lookup (recordType=SRV, directAddrName=_ldap._tcp.prevvy.co.) was successful: [_ldap._tcp.prevvy.co. 59S IN SRV 1 10 389 direct.develop.prevvy.co.]
Query the first available LDAP server for it's base Distinguished Name(s) (DN[s]).:
Success: true
Binding Type: DOMAIN
Location Type: LDAP
Message(s):- INFO: DNS SRV record (name=_ldap._tcp.prevvy.co., target=direct.develop.prevvy.co., port=389) target address resolution was successful: [54.152.178.254]
- INFO: LDAP base Distinguished Name (DN) lookup (host=54.152.178.254, port=389) was successful: [ou=system, ou=config, ou=schema, dc=example,dc=com]
Query the first available LDAP server for the userCertificate attribute of entry(s) whose mail attribute is domain-bound.:
Success: true
Binding Type: DOMAIN
Location Type: LDAP
Message(s):- INFO: LDAP lookup (host=54.152.178.254, port=389, filter={(&(mail=prevvy.co)(|(userCertificate;binary=*)(userCertificate=*)))}) entry (dn={cn=prevvy.co,ou=system}) attribute (id=usercertificate) value certificate (subjDn={CN=prevvy.co,C=US,ST=Florida,L=Miami,O=HealthCentrix\, Inc.}, serialNum=032d2f8b4bab110137e85b591da75411, issuerDn={CN=DigiCert Direct Med CA,C=US,O=DigiCert Inc,OU=www.digicert.com}) processed.
Validation of discovered certificate(s).:
Success: true
Binding Type: NONE
Location Type: None
Message(s):- INFO: Certificate (subjDn={CN=prevvy.co,C=US,ST=Florida,L=Miami,O=HealthCentrix\, Inc.}, serialNum=032d2f8b4bab110137e85b591da75411, issuerDn={CN=DigiCert Direct Med CA,C=US,O=DigiCert Inc,OU=www.digicert.com}) is not revoked.
but ETT is not working. When we try to send some Direct message to ouur HISP server we got this message
Exception: Cannot pull encryption certificate from DNS
Caused by:
Requesting: https://edge.nist.gov:12080/ett/api/sendDirect
If we change our LDAP port in ser ver and DNS to 10389 all is working right
I will be please of any suggestion.
Thans in advance
Regards
Andrew McCaffrey
Jul 7, 2016, 12:58:07 PM7/7/16
to Jose Maria Olmo Millan, Edge Test Tool (ETT)
Hi,
I'm seeing different behavior in our logs depending on whether we query
389 or 10389. The tool is able to connect to the LDAP service when its
running on either 389 or 10389, but it cannot find a certificate when
connecting to 389.
This is 10389:
2016-07-05 14:18:56 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:10389
2016-07-05 14:18:56 WARN DirectMessageGenerator:418 - Cannot pull
address bound encryption certificate from LDAP
2016-07-05 14:18:56 WARN DirectMessageGenerator:431 - Cannot pull
address bound encryption certificate from DNS
2016-07-05 14:18:56 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:10389
2016-07-05 14:18:56 INFO LdapDnslookUp:92 - Found certificate for
prevvy.co at direct.develop.prevvy.co:10389
2016-07-05 14:18:56 INFO DirectMessageGenerator:441 - Domain bound
encryption certificate pulled from LDAP
This is 389:
2016-07-05 17:20:42 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:389
2016-07-05 17:21:45 WARN DirectMessageGenerator:421 - Cannot pull
address bound encryption certificate from LDAP
2016-07-05 17:21:45 WARN DirectMessageGenerator:431 - Cannot pull
address bound encryption certificate from DNS
2016-07-05 17:21:45 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:389
2016-07-05 17:22:48 WARN DirectMessageGenerator:447 - Cannot pull
domain bound encryption certificate from LDAP
2016-07-05 17:22:48 WARN DirectMessageGenerator:457 - Cannot pull
domain bound encryption certificate from DNS
java.lang.Exception: Cannot pull encryption certificate from DNS
Is there any other difference in the services other than the port
number? A permission issue perhaps (we need anonymous access)?
-Andrew
On 07/05/2016 05:43 PM, Jose Maria Olmo Millan wrote:
>
>
> Hello
>
> we were using 10389 as LDAP port with our HISP server and all were
> working with ETT tool?
>
> Now we have change our LDAP port and our ldap SRV entry in our DNS.
>
> When we use sitenv certificate discovery tool all is wrking right
> with 389,
>
> *Success*: true
>
> *Processing Message(s)*: /None/
>
> *Processed Step(s)*:
>
> *Query DNS for SRV record(s).*:
>
> *Success*: true
>
> *Binding Type*: DOMAIN
>
> *Location Type*: DNS
>
> *Message(s)*:
>
> 1.
> *
> # *INFO*: DNS lookup (recordType=SRV,
>
> *Query the first available LDAP server for it's base
> Distinguished Name(s) (DN[s]).*:
> *Success*: true
> *Binding Type*: DOMAIN
> *Location Type*: LDAP
> *Message(s)*:
>
> *
> # *INFO*: DNS SRV record (name=_ldap._tcp.prevvy.co.,
>
> *Query the first available LDAP server for the
> *Success*: true
> *Binding Type*: DOMAIN
> *Location Type*: LDAP
> *Message(s)*:
>
> *
> # *INFO*: LDAP lookup (host=54.152.178.254, port=389,
>
> *Validation of discovered certificate(s).*:
> *Success*: true
> *Binding Type*: NONE
> *Location Type*: /None
> /*Message(s)*:
>
> *
> # *INFO*: Certificate
> HISP server we got this message*
> *
> *
> *
> *
>
> *Exception: Cannot pull encryption certificate from DNS*
>
> *Caused by:*
>
> *Requesting: https://edge.nist.gov:12080/ett/api/sendDirect*
> You received this message because you are subscribed to the Google
> Groups "Edge Test Tool (ETT)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to edge-test-too...@googlegroups.com
> <mailto:edge-test-too...@googlegroups.com>.
> To post to this group, send email to edge-te...@googlegroups.com
> <mailto:edge-te...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/edge-test-tool/8b641049-e1bc-4afa-803d-c4fa7bd2b80b%40googlegroups.com
> <https://groups.google.com/d/msgid/edge-test-tool/8b641049-e1bc-4afa-803d-c4fa7bd2b80b%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
I'm seeing different behavior in our logs depending on whether we query
389 or 10389. The tool is able to connect to the LDAP service when its
running on either 389 or 10389, but it cannot find a certificate when
connecting to 389.
This is 10389:
2016-07-05 14:18:56 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:10389
2016-07-05 14:18:56 WARN DirectMessageGenerator:418 - Cannot pull
address bound encryption certificate from LDAP
2016-07-05 14:18:56 WARN DirectMessageGenerator:431 - Cannot pull
address bound encryption certificate from DNS
2016-07-05 14:18:56 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:10389
2016-07-05 14:18:56 INFO LdapDnslookUp:92 - Found certificate for
prevvy.co at direct.develop.prevvy.co:10389
2016-07-05 14:18:56 INFO DirectMessageGenerator:441 - Domain bound
encryption certificate pulled from LDAP
This is 389:
2016-07-05 17:20:42 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:389
2016-07-05 17:21:45 WARN DirectMessageGenerator:421 - Cannot pull
address bound encryption certificate from LDAP
2016-07-05 17:21:45 WARN DirectMessageGenerator:431 - Cannot pull
address bound encryption certificate from DNS
2016-07-05 17:21:45 INFO LdapDnslookUp:51 - DNS SRV query found LDAP at
direct.develop.prevvy.co:389
2016-07-05 17:22:48 WARN DirectMessageGenerator:447 - Cannot pull
domain bound encryption certificate from LDAP
2016-07-05 17:22:48 WARN DirectMessageGenerator:457 - Cannot pull
domain bound encryption certificate from DNS
java.lang.Exception: Cannot pull encryption certificate from DNS
Is there any other difference in the services other than the port
number? A permission issue perhaps (we need anonymous access)?
-Andrew
On 07/05/2016 05:43 PM, Jose Maria Olmo Millan wrote:
>
>
> Hello
>
> we were using 10389 as LDAP port with our HISP server and all were
> working with ETT tool?
>
> Now we have change our LDAP port and our ldap SRV entry in our DNS.
>
> When we use sitenv certificate discovery tool all is wrking right
> with 389,
>
>
> *Processing Message(s)*: /None/
>
> *Processed Step(s)*:
>
> *Query DNS for SRV record(s).*:
>
> *Success*: true
>
> *Binding Type*: DOMAIN
>
> *Location Type*: DNS
>
> *Message(s)*:
>
> 1.
> *
> # *INFO*: DNS lookup (recordType=SRV,
> directAddrName=_ldap._tcp.prevvy.co.) was
> successful: [_ldap._tcp.prevvy.co. 59S IN SRV 1 10
> 389 direct.develop.prevvy.co.]
> 2.
> successful: [_ldap._tcp.prevvy.co. 59S IN SRV 1 10
> 389 direct.develop.prevvy.co.]
>
> *Query the first available LDAP server for it's base
> Distinguished Name(s) (DN[s]).*:
> *Success*: true
> *Binding Type*: DOMAIN
> *Location Type*: LDAP
> *Message(s)*:
>
> *
> # *INFO*: DNS SRV record (name=_ldap._tcp.prevvy.co.,
> target=direct.develop.prevvy.co., port=389) target
> address resolution was successful: [54.152.178.254]
> # *INFO*: LDAP base Distinguished Name (DN) lookup
> address resolution was successful: [54.152.178.254]
> (host=54.152.178.254, port=389) was successful:
> [ou=system, ou=config, ou=schema, dc=example,dc=com]
> 3.
> [ou=system, ou=config, ou=schema, dc=example,dc=com]
>
> *Query the first available LDAP server for the
> userCertificate attribute of entry(s) whose mail attribute
> is domain-bound.*:
> *Success*: true
> *Binding Type*: DOMAIN
> *Location Type*: LDAP
> *Message(s)*:
>
> *
> # *INFO*: LDAP lookup (host=54.152.178.254, port=389,
> filter={(&(mail=prevvy.co)(|(userCertificate;binary=*)(userCertificate=*)))})
> entry (dn={cn=prevvy.co,ou=system}) attribute
> (id=usercertificate) value certificate
> (subjDn={CN=prevvy.co,C=US,ST=Florida,L=Miami,O=HealthCentrix\,
> Inc.}, serialNum=032d2f8b4bab110137e85b591da75411,
> issuerDn={CN=DigiCert Direct Med CA,C=US,O=DigiCert
> Inc,OU=www.digicert.com}) processed.
> 4.
> entry (dn={cn=prevvy.co,ou=system}) attribute
> (id=usercertificate) value certificate
> (subjDn={CN=prevvy.co,C=US,ST=Florida,L=Miami,O=HealthCentrix\,
> Inc.}, serialNum=032d2f8b4bab110137e85b591da75411,
> issuerDn={CN=DigiCert Direct Med CA,C=US,O=DigiCert
> Inc,OU=www.digicert.com}) processed.
>
> *Validation of discovered certificate(s).*:
> *Success*: true
> *Binding Type*: NONE
> *Location Type*: /None
> /*Message(s)*:
>
> *
> # *INFO*: Certificate
> (subjDn={CN=prevvy.co,C=US,ST=Florida,L=Miami,O=HealthCentrix\,
> Inc.}, serialNum=032d2f8b4bab110137e85b591da75411,
> issuerDn={CN=DigiCert Direct Med CA,C=US,O=DigiCert
> Inc,OU=www.digicert.com}) is not revoked.
>
>
>
>
> *but ETT is not working. When we try to send some Direct message to ouur
> Inc.}, serialNum=032d2f8b4bab110137e85b591da75411,
> issuerDn={CN=DigiCert Direct Med CA,C=US,O=DigiCert
> Inc,OU=www.digicert.com}) is not revoked.
>
>
>
>
> HISP server we got this message*
> *
> *
> *
> *
>
> *Exception: Cannot pull encryption certificate from DNS*
>
> *Caused by:*
>
> *Requesting: https://edge.nist.gov:12080/ett/api/sendDirect*
>
>
>
> If we change our LDAP port in ser ver and DNS to 10389 all is working right
>
>
> I will be please of any suggestion.
>
>
> Thans in advance
>
> Regards
>
>
>
> --
>
>
> If we change our LDAP port in ser ver and DNS to 10389 all is working right
>
>
> I will be please of any suggestion.
>
>
> Thans in advance
>
> Regards
>
>
>
> You received this message because you are subscribed to the Google
> Groups "Edge Test Tool (ETT)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to edge-test-too...@googlegroups.com
> <mailto:edge-test-too...@googlegroups.com>.
> To post to this group, send email to edge-te...@googlegroups.com
> <mailto:edge-te...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/edge-test-tool/8b641049-e1bc-4afa-803d-c4fa7bd2b80b%40googlegroups.com
> <https://groups.google.com/d/msgid/edge-test-tool/8b641049-e1bc-4afa-803d-c4fa7bd2b80b%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Andrew McCaffrey
Jul 7, 2016, 2:02:29 PM7/7/16
to Jose Maria Olmo Millan, Edge Test Tool (ETT)
One other thing. This may be unrelated, but sometimes we're getting
direct.develop.prevvy.co for the DNS SRV query, and other times simply
direct.prevvy.co
-Andrew
direct.develop.prevvy.co for the DNS SRV query, and other times simply
direct.prevvy.co
-Andrew
Reply all
Reply to author
Forward
0 new messages