Hello.
I'm trying to set up my PwReset application via WebADM GUI, but have some troubles with encryption in LDAP connector.
In server.xml single variant when LDAP connection is OK is
<LdapServername="LDAP Server"
host="dc.domain.com"
port="389"
encryption="NONE"
ca_file=""
sasl=""/>
Any other port or encryption values return next string in output after service restart.
"Connected LDAP server: ERROR (no server available)",
Haven't found any info in guides or troubleshooting about making encryption works this way.
Telnet to DC port 389 - OK
Telnet to DC port 636 - OK
on DC:
netstat -na | Select-String "636" - LISTENING
netstat -na | Select-String "389" - LISTENING
In GUI in "Trusted Certificate Authorities" i've added my DC's cert and added webadm's cert to trusted root on DC - useless.
well now, with none encryption value, when i'm trying to reset user password via PwReset - i'm getting error:
[2024-03-21 16:27:45] [10.13.177.109:14158] [PwReset:XCV40315] Could not modify LDAP object 'CN=webadmtest,OU=Tech,OU=ActiveUsers,DC=domain,DC=com' (0000001F: SvcErr: DSID-031A12E8, problem 5003 (WILL_NOT_PERFORM), data 0)
In the same time:
- i can change attributes of accounts in my doman through webadm GUI (so i'm already got write access without encryption)
- i can recieve otp token on email
In troubleshooting guide it sais that problem is in encryption.
So how to set it properly?
Please help!
encryption="TLS"
ca_file="" />
or
port="636"
encryption="SSL"
ca_file="" />
Regards
port="389"
encryption="TLS"
Hello,
openssl s_client -connect 192.168.4.2:636
Connecting to 192.168.4.2
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 DC=com, DC=rcdevs, DC=support, CN=SUPCAAD2
verify return:1
depth=0 CN=AD22-1.support.rcdevs.com
verify return:1
---
Certificate chain
0 s:CN=AD22-1.support.rcdevs.com
i:DC=com, DC=rcdevs, DC=support, CN=SUPCAAD2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 29 09:45:26 2023 GMT; NotAfter: Nov 28 09:45:26 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGjTCCBXWgAwIBAgITHAAAALo6avTg+FFoTQAAAAAAujANBgkqhkiG9w0BAQsF
ADBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGcmNkZXZz
MRcwFQYKCZImiZPyLGQBGRYHc3VwcG9ydDERMA8GA1UEAxMIU1VQQ0FBRDIwHhcN
MjMxMTI5MDk0NTI2WhcNMjQxMTI4MDk0NTI2WjAkMSIwIAYDVQQDExlBRDIyLTEu
c3VwcG9ydC5yY2RldnMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAt4VN7XzqUBYj5JQrQMlTx0vsrCatLosQbdRiQzh5YwiyVpqKXL2q0WLLRVxZ
/N36iIaGFq+9HjlvHdLJOSn9b0UhgrDZGHPYPcll5q+DGhk7MSZZNBSC8DU51drl
kCRwHCV18fCV+94VnWNEfcZBpPglLbXrMbM3FSGgDv8CgHm0rFOo4MVC9MMZuTPQ
s+3FQPDQqRooUvLBRkgD1pwaKvFOBv8pOMKOPwjhfRC4GEy8Sv2ZTVjIVBuj2T7Q
oS8W5O3Qz5F8HwLR+RVbzrxsX9S1dZCRuTbK6204g/YqMRgn4wI0BXEd0+4kl+Zd
aXHD6EzVi9h5F2DxTLDGg9sRHQIDAQABo4IDgTCCA30wLwYJKwYBBAGCNxQCBCIe
IABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcNAQkPBGsw
aTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAK
BggqhkiG9w0DBzAdBgNVHQ4EFgQUv7DRpx6gbUdaRiHBWFABeHY6m/QwHwYDVR0j
BBgwFoAU2vCNPJTo59rA87s0RIotTU4axd8wgc8GA1UdHwSBxzCBxDCBwaCBvqCB
u4aBuGxkYXA6Ly8vQ049U1VQQ0FBRDIsQ049QUQxOS0yLENOPUNEUCxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPXN1cHBvcnQsREM9cmNkZXZzLERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgfcG
CCsGAQUFBwEBBIHqMIHnMIGxBggrBgEFBQcwAoaBpGxkYXA6Ly8vQ049U1VQQ0FB
RDIsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9c3VwcG9ydCxEQz1yY2RldnMsREM9Y29tP2NB
Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y
aXR5MDEGCCsGAQUFBzABhiVodHRwOi8vQUQxOS0yLnN1cHBvcnQucmNkZXZzLmNv
bS9vY3NwMEUGA1UdEQQ+MDygHwYJKwYBBAGCNxkBoBIEEPt33dwit8VIpkoX8x4R
/mqCGUFEMjItMS5zdXBwb3J0LnJjZGV2cy5jb20wTgYJKwYBBAGCNxkCBEEwP6A9
BgorBgEEAYI3GQIBoC8ELVMtMS01LTIxLTI1NTY3ODgxNDgtMjY1MDY4NjczMi01
MDYyMDUwNDktMjE5NTANBgkqhkiG9w0BAQsFAAOCAQEAL4Iuoe+M/zyp54T9Ictn
+QiWaQNbWfq5o/z4xS0kFpS8BBvGcsopxvPQQsLrnsaFDh6p2swYjE59mbXNS2PR
wUDdToNO1xGnM4PjNNMHoIDggsST/+T+TWKiiQuF35q3MaCq3kN5Gr9Nq4UwukQS
2Q8FBkHaDLqTtYGiTo8+LvmSrVgGJUtC6CFAGv+ZIulXC5kWphThmqEiz36RTxvv
BoT+MjLXlW2Bfr4TnxIt+VFd8fpisaBI5GZQ9UkotA2+mM9iAONw8RRp+hcRCPYt
lnSfRR95HCYZ/3dShoXAjchlBUP/xBGeVxWmiEeHuWlXCu9PEJslEVdSU5UOQfCs
2A==
-----END CERTIFICATE-----
subject=CN=AD22-1.support.rcdevs.com
issuer=DC=com, DC=rcdevs, DC=support, CN=SUPCAAD2
---
No client certificate CA names sent
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2208 bytes and written 409 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3D73314789721BC1A51ED8C64A9B3D5F54A59EB8D003F8CCA3E72F330A957DAA
Session-ID-ctx:
Resumption PSK: 27066A3E97A6A88B6824D8658D5C00486B521E31CE493FEDA792583A2025048851233EE7592BF47FA8528EA6CD4F9EEA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
0000 - a4 06 00 00 26 7c 93 16-3e 20 de 69 0a 3b d6 a7 ....&|..> .i.;..
0010 - 04 9e 1a 67 fc 82 58 02-44 5a f8 c5 8e e0 7a c7 ...g..X.DZ....z.
Start Time: 1711124602
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK