OpenLDAP Connection closed during handshake. Cert issues?

[Spencer Kotowick]

Trying to have Rundeck authenticate against my ldap server. When trying to login, I get the following error in the services.log:

java.lang.Thread.run(Thread.java:701)|Caused by: javax.naming.CommunicationException: simple bind failed: k2-ldap0.<host>.ca:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]|?at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)|?at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)|?at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)|?at 

**(full log @ http://pastebin.com/2rV3wdDc)**

I am fairly certain I imported the certificates properly. The below is my config file. Any ideas why this isn't working? 

http://k2-ldap0.<host>.ca

port 389

uses startTLS

ldap {

com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

      debug="true"

      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

      providerUrl="ldaps://k2-ldap0.<host>.ca:389"

      bindDn="ou=People,dc=<hostname>,dc=ca"

      authenticationMethod="simple"

      forceBindingLogin="true"

      userBaseDn="ou=People,dc=<hostname>,dc=ca"

      userRdnAttribute="uid"

      cacheDurationMillis="300000"

      reportStatistics="true";

};

[Tony Feldmann]

You said you imported the cert, but did you import the CA into the truststore?

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[spence]

Hi Tony,

I ran the openssl command on the ldap server, copied each certificate (3 of them), pasted to a file on the rundeck server, and then ran the keytool -import command. Am I missing something?

Command 1:

openssl s_client -showcerts -connect <ldap server>

Command 2:

sudo keytool -import -alias <certAlias1> -file <cert>.cert -keystore /etc/rundeck/ssl/truststore

[spence]

Hi Tony,

I imported the correct CA, and handshake no longer drops. But, I now get:

javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]

Does Rundeck support LDAP over startTLS? 

On Thursday, May 15, 2014 7:28:37 AM UTC-7, Tony Feldmann wrote:

[Tony Feldmann]

Honestly, I don't know.  I am using ldaps over port 636.  It might be that you need to specify a binddn and bind password.  Here is the working config that I use:

msad {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldaps://<server>.com"
    bindDn="<full cn to bind account(cn=user,ou=group,dn=whatever,dn=com)>"
    bindPassword="<password>"
    referrals="no"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="<base dn>"
    userRdnAttribute="cn"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="userpassword"
    userObjectClass="person"
    roleBaseDn="<role base dn>"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"
    supplementalRoles="readonly";

    org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/etc/rundeck/realm.properties";
};