[midPoint] Flexible Auth: ldap connection issues

Jim Lookabaugh jlookabaugh at exclamationlabs.com
Fri May 21 18:16:55 CEST 2021 

I have attempted to configure a flexible authentication module for ldap (AD) where the environment relies on a cluster of domain controllers.  In this scenario, eventually authentication through this channel fails. The log indicates success for a time, then indicates a connection closure, and thereafter shows a PKIX path building failure (I take that to superficially mean a certificate verification failure).  Yet, by explicitly configuring a given domain controller in the security policy on occasion, connecting to that specific endpoint has worked.  It appears to me that the clustered approach is what’s thorny here rather than a certificate/TLS matter.  I think this may, under the covers, be due to a connection caching/pooling and refresh issue, as it appears to occur when given time — perhaps time for the environment to route requests to another member of the cluster.

This ldap cluster serves both purposes of authentication into midPoint and of an identity/provisioning resource. A similar issue apparently impacts my resource connection to this same ldap (AD) cluster.  I was forced to set “Allow untrusted SSL/TLS” to true, which seems to have prevented recurrence of the connection problems.  That resource configuration has one of the four domain controllers set as the “Host”, and the other three are set as “Servers”. It is important to note that when I configure this resource for only one ldap (AD) domain controller at a time AND for requiring trusted TLS --- and testing each of the four this way, no PKIX path building failure seems to occur. But that may be due to not allowing enough time to pass for a load balancer reroute of traffic.

The certificate and the sole CA’s certificate in the signing chain for each of the four domain controllers are installed in the trust store. So, I am led to believe that it’s not truly a PKIX path building failure.  I’ve pasted an excerpt from my log below my signature.  Is a connection/socket closure typical for clustered environments which the client should recover from?

Jim Lookabaugh
Exclamation Labs
300 Washington Street
Cumberland, MD 21502
888.545.5008 or 301.722.5008
240.860.1847 direct
fax 301.722.2183
jlookabaugh at exclamationlabs.com
www.exclamationlabs.com
www.provisioniam.com


= = = = =
2021-xx-xx 12:57:32,868 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource):  URL 'ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com', root DN is 'DC=myowncorp,DC=com'
2021-xx-xx 12:57:32,896 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com
2021-xx-xx 12:57:33,109 [] [http-nio-8080-exec-10] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter at c02f71c, org.springframework.security.web.csrf.CsrfFilter at 60cd69b4, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 4db27ca8, org.springframework.security.web.authentication.logout.LogoutFilter at 5693cb71, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter at 2fe0dfda, org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 38408be, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 70405950, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 640564cb, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 31abb100, org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 2e47db4f]
2021-xx-xx 12:59:01,662 [] [http-nio-8080-exec-7] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/emergency/internalLoginForm/**'], [org.springframework.security.web.header.HeaderWriterFilter at 7b486355, org.springframework.security.web.csrf.CsrfFilter at 788669db, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 1147d5b6, org.springframework.security.web.authentication.logout.LogoutFilter at 29ad491d, com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter at 28906c98, org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 4092633f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 9386989, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 3a989faa, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 7c8fe846, org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 25fa86ab]
2021-xx-xx 13:01:47,035 [] [http-nio-8080-exec-23] WARN (com.exclamationlabs.connid.base.redcarpet.driver.RedCarpetUserInvocator): method: null msg:User not found for id: connectionTest
2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource):  URL 'ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com', root DN is 'DC=myowncorp,DC=com'
2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com
2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter at 7774913d, org.springframework.security.web.csrf.CsrfFilter at 7a5d5a6e, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at cd0a10c, org.springframework.security.web.authentication.logout.LogoutFilter at 5ffe2eb7, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter at 26ff4f05, org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 12086a5c, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 4645e66b, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 500b50f4, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 142320f8, org.springframework.security.web.access.intercept.FilterSecurityInterceptor at fe6785d]
2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
	at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)
	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
	at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)
	at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
	at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
	at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Caused by: java.net.SocketException: Connection or outbound has closed
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)
	at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
	at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter): An internal error occurred while trying to authenticate the user.
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
	at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)
	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
	at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)
	at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
	at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
	at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Caused by: java.net.SocketException: Connection or outbound has closed
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)
	at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
	at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
2021-xx-xx 13:58:18,242 [] [http-nio-8080-exec-20] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
	at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)
	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
	at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)
	at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
	at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
	at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210521/9d73472e/attachment-0001.htm>

More information about the midPoint mailing list