[midPoint] LDAP connector SSL

Radovan Semancik radovan.semancik at evolveum.com
Wed Nov 18 18:25:51 CET 2015 

Hi,

That's right. All the client-side certificate validations have to be 
non-interactive. So everything needs to be imported to 
midpoint.home/keystore.jceks. The guide is here:

https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743

The timeout error usually indicates failed SSL/TLS handshake. One of the 
issues that I have seen is that som OpenLDAP configurations are not SSL, 
but STARTTLS. This is different way how to initiate TLS connection. In 
that case "starttls" has to be used instead "ssl".

Another issue can be that the client and server cannot agree on the 
cipher suites. It looks like recent TLS versions have quite limited set 
of supported cipher suites. Unfortunately the Java libraries and/or 
Apache Directory API are not very good at reporting errors, so this one 
can also look like timeout. If that is the case please try to force the 
use of older TLS version on either client or server. I have added a 
connector configuration options sslProtocol, enabledSecurityProtocols 
and enabledCipherSuites for that purpose. However, those are only 
supported in development (master) version of the connector. Setting 
sslProtocol might help in your case (the values are protocol names from 
javax.net.ssl.SSLContext).

-- 
Radovan Semancik
Software Architect
evolveum.com



On 11/17/2015 07:11 PM, Jason Everling wrote:
> I would try and import your LDAP Certs or LDAP CA Certs into the 
> midpoint.home/keystore.jceks keystore. I had to put all our CA certs 
> into this file and also Google's mail ca certs so that notifications 
> would go out. The default password for the keystore is in your 
> config.xml file
>
> JASON
>
> JASON
>
> On Tue, Nov 17, 2015 at 12:07 PM, Devin Rosenbauer 
> <devin at identityworksllc.com <mailto:devin at identityworksllc.com>> wrote:
>
>     Hey all,
>
>     I'm working on deploying a demo LDAP connector to an OpenDJ LDAP
>     instance. I've got everything set up and working great in non-SSL
>     mode. When I switch the connection security configuration property
>     to "ssl", the connection times out every time, with this root
>     cause stack trace:
>
>     Caused by:
>     org.apache.directory.api.ldap.model.exception.LdapException:
>     TimeOut occurred
>             at
>     org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4138)
>     ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1]
>             at
>     org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1287)
>     ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1]
>             at
>     org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1185)
>     ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1]
>             at
>     com.evolveum.polygon.connector.ldap.LdapConnector.bind(LdapConnector.java:1030)
>     ~[connector-ldap-1.4.1.23.jar:na]
>
>     After looking through the code, I'm guessing that the SSL filter
>     is attempting to prompt the non-existent keyboard user to accept
>     or deny the certificate. I've imported the cert as a trusted
>     certificate into the Java cacerts file, but I'm not sure that
>     that's what the LDAP connector is using.
>
>     Any suggestions?
>
>
>
>     -- 
>     Devin Rosenbauer
>     Principal Consultant
>     Identity Works LLC
>     +1 585 210 3201 <tel:%2B1%20585%20210%203201>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151118/8d3d72b8/attachment.htm>

More information about the midPoint mailing list