ldap and ldaps password are different?

Tagged: ,

This topic has 12 replies, 4 voices, and was last updated 4 years, 7 months ago by garcimo.

  • Author
    Posts
  • #20767
     garcimo
    Participant

    Hello
    I installed opendj on linux and during the install I only enabled https.

    due to certificate problems i cannot connect with ldaps. from another unix using ldapsearch.

    i created an ldap connection handler with dsconfig but it seems the password for ldap for this connection handler is not the same for directory manager.

    I can connect to control-panel using the password and can connect to ldaps from apache directory studio
    but not using plain ldap i get invalid credentials..

    thank you

    #20768
     Ludo
    Moderator

    I don’t believe that what you are describing is accurate (first you say HTTPS but then talk about LDAPS).
    The Directory Manager credentials are completely separated from the Connection Handlers.
    But you may have configured the server to deny simple password authentication over non secure LDAP connections. You may have configured LDAPS to restrict to specific ciphers and TLS versions that your client do not support…
    The server’s log files (ldap-access.audit.json or errors) should contain more details about why the authentication fail.

    Please also specify which version of OpenDJ you installed when reporting a problem.

    #20769
     Bill Nelson
    Participant

    The connection handlers are doorways into OpenDJ, they have nothing to do with how the password is stored or validated against the stored password. I suspect that something else may be the problem here. Would you mind posting the entries from the access log files for the complete transaction? Also any entries found in the errors log?

    #20770
     Bill Nelson
    Participant

    Looks like @ludo and I were posting at the same time. Sure glad we are on the same page. :-)

    #20771
     Ludo
    Moderator

    Looks like @bill-nelsonidentityfusion-com is up very early this morning ! :D

    #20772
     garcimo
    Participant

    Hello
    the https was a typo.

    when I ran setup i only enabled ldaps.

    after with dsconfig i enabled ldap.

    i can connect to the ldap using ldaps (port 636) but not ldap (port 389)

    I do not get permission denied when trying to connect with ldap i get invalid credentials..

    the problem is only with cn=directory manager
    i can connect to another user per instance this works in plain ldap:

    ldapwhoami -vvv -h cjlldapreptst -p 389 -D “uid=test,ou=People,dc=example,dc=com” -x -w *****

    I am using directory services 5.5 evaluation. i am still in my learning phase

    thanks in advance.

    #20773
     Bill Nelson
    Participant

    The Invalid Credentials message can be generated for non-password related issues as well. To better assist you, I would need to see the output of your logs.

    Run a “tail -f /path/to/logs/ldap-access.audit.json” and another “tail -f /path/to/logs/errors” and perform the authentication again and post the messages here.

    #20774
     Bill Nelson
    Participant

    And yes, @ludo, I heard that you were on and just wanted to hang with the cool kids.

    #20775
     garcimo
    Participant

    update:
    you are right I cannot connect iwth ldap due to a password policy I really did not set.. would not know how.

    so I cannot connect from a linux client in ldap due to a password policy, nor with ldaps due to a protocol error.

    this is an ldaps connection attempt:
    it gives me protocol error. my certificates come from an company internal CA stored in the AD so probably the CA is not trusted..

    plain ldap gives error: “Rejecting a simple bind request because the password policy requires secure authentication”

    could you help me to fix it? I am still evaluating the product.

    best regards

    #20778
     Bill Nelson
    Participant

    I would suggest that you reinstall using plain ldap first and foremost just to get it up and running. Then you can try to deal with certificate issues, etc.

    1. stop-ds
    2. rm -rf opendj installation folder
    3. install opendj with general settings

    i.e. walk before you try to run

    #20816
     garcimo
    Participant

    Hello
    I went ahead and followed your advice and have reinstalled enabled ldap and ldaps

    the purpose of the ldap server is allow unix clients to authenticate.

    when I run ldapsearch or use sssd there is a issue with the ciphers.

    the java version used is :
    java version “1.8.0_111”
    Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
    Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode

    the OS is Oracle Enterprise linux 6.9.

    i get this error when launching ds in with ssl debug:

    LDAP Connection Handler 0.0.0.0 port 389(1) SelectorRunner, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated: [Session-23, SSL_NULL_WITH_NULL_NULL]
    LDAP Connection Handler 0.0.0.0 port 389(1) SelectorRunner, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
    LDAP Connection Handler 0.0.0.0 port 389(1) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2
    LDAP Connection Handler 0.0.0.0 port 389(1) SelectorRunner, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

    I do not know what to do client side or server side in order to allow ssl or starttls to work? as you know sssd requires starttls or ssl

    the testing of the product is blocked due to this.

    any help would be very welcome.

    thank you

    Mario

    #20825
     handat
    Participant

    It appears in 5.5, the LDAP connection handler defaults to startTLS, so if you are using ldapsearch on LDAP protocol, you need to use the -Z option.

    #20829
     garcimo
    Participant

    the issue is my client and server do not seem to have ciphers in common..

    the client is sssd/ldapsearch from linux.

    the server is opendj/DS

    this is the ldapcommand is use from the client:

    ldapsearch -D “cn=directory manager” -W -p 389 -h ds1.exemple.eu -b “dc=garcimo,dc=net” -s sub -Z “(objectclass=*)”

    the output is:
    ldap_start_tls: Connect error (-11)
    additional info: TLS error -5938:Encountered end of file
    Enter LDAP Password:
    ldap_result: Can’t contact LDAP server (-1)

    the server.out says this:

    Using SSLEngineImpl.
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    LDAP Connection Handler 0.0.0.0 port 389(2) SelectorRunner, READ: TLSv1 Handshake, length = 136
    *** ClientHello, TLSv1.2
    RandomCookie: GMT: 271641009 bytes = { 137, 213, 191, 126, 94, 236, 55, 241, 33, 255, 116, 207, 160, 73, 152, 187, 70, 67, 113, 228, 8, 253, 133, 138, 207, 106, 235, 55 }
    Session ID: {}
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
    Compression Methods: { 0 }
    Extension renegotiation_info, renegotiated_connection: <empty>
    Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
    Extension ec_point_formats, formats: [uncompressed]
    Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withECDSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withDSA, Unknown (hash:0x5, signature:0x2), Unknown (hash:0x6, signature:0x2), SHA1withDSA
    ***
    %% Initialized: [Session-16, SSL_NULL_WITH_NULL_NULL]
    LDAP Connection Handler 0.0.0.0 port 389(2) SelectorRunner, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated: [Session-16, SSL_NULL_WITH_NULL_NULL]
    LDAP Connection Handler 0.0.0.0 port 389(2) SelectorRunner, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
    LDAP Connection Handler 0.0.0.0 port 389(2) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2
    LDAP Connection Handler 0.0.0.0 port 389(2) SelectorRunner, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

    i followd the info here:
    https://backstage.forgerock.com/knowledge/kb/article/a64308800

    without results..
    I am running java8
    the sssd /ldapsearch binaries are those provided by oracle linux.

    thank you

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?