[midPoint] [Newsletter] Flexible Auth: ldap connection issues

Chris Woods Chris.Woods at rohde-schwarz.com
Fri May 21 19:13:34 CEST 2021


Hi Jim,


that usually means that the certificate being presented by the (presumably load balancer?) is either self-signed or issued by a CA, whose certificate isn’t in your trust store (either specified explicitly with -Djavax.net.ssl.trustStore or implicitly from the JDK/JRE).



openssl s_client -connect <loadbalancer_hostname>:636 –showcerts



should give you the certificate chain. There might be a hint here regarding self-signed certificate. If not, maybe you just need to import the CA certificate into your trust store (we do the same, because our certificates are issued by our internal PKI and not included in the standard cacerts truststore that comes with the JRE).



Regards,

Chris
.

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Jim Lookabaugh via midPoint
Sent: Friday, May 21, 2021 6:17 PM
To: midpoint at lists.evolveum.com
Cc: Jim Lookabaugh <jlookabaugh at exclamationlabs.com>
Subject: *EXT* [Newsletter] [midPoint] Flexible Auth: ldap connection issues

I have attempted to configure a flexible authentication module for ldap (AD) where the environment relies on a cluster of domain controllers.  In this scenario, eventually authentication through this channel fails. The log indicates success for a time, then indicates a connection closure, and thereafter shows a PKIX path building failure (I take that to superficially mean a certificate verification failure).  Yet, by explicitly configuring a given domain controller in the security policy on occasion, connecting to that specific endpoint has worked.  It appears to me that the clustered approach is what’s thorny here rather than a certificate/TLS matter.  I think this may, under the covers, be due to a connection caching/pooling and refresh issue, as it appears to occur when given time — perhaps time for the environment to route requests to another member of the cluster.

This ldap cluster serves both purposes of authentication into midPoint and of an identity/provisioning resource. A similar issue apparently impacts my resource connection to this same ldap (AD) cluster.  I was forced to set “Allow untrusted SSL/TLS” to true, which seems to have prevented recurrence of the connection problems.  That resource configuration has one of the four domain controllers set as the “Host”, and the other three are set as “Servers”. It is important to note that when I configure this resource for only one ldap (AD) domain controller at a time AND for requiring trusted TLS --- and testing each of the four this way, no PKIX path building failure seems to occur. But that may be due to not allowing enough time to pass for a load balancer reroute of traffic.

The certificate and the sole CA’s certificate in the signing chain for each of the four domain controllers are installed in the trust store. So, I am led to believe that it’s not truly a PKIX path building failure.  I’ve pasted an excerpt from my log below my signature.  Is a connection/socket closure typical for clustered environments which the client should recover from?

Jim Lookabaugh
Exclamation Labs
300 Washington Street
Cumberland, MD 21502
888.545.5008 or 301.722.5008
240.860.1847 direct
fax 301.722.2183
jlookabaugh at exclamationlabs.com<mailto:jlookabaugh at exclamationlabs.com>
www.exclamationlabs.com<http://www.exclamationlabs.com>
www.provisioniam.com<http://www.provisioniam.com>


= = = = =
2021-xx-xx 12:57:32,868 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource):  URL 'ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com', root DN is 'DC=myowncorp,DC=com'
2021-xx-xx 12:57:32,896 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com
2021-xx-xx 12:57:33,109 [] [http-nio-8080-exec-10] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter at c02f71c, org.springframework.security.web.csrf.CsrfFilter at 60cd69b4<mailto:org.springframework.security.web.csrf.CsrfFilter at 60cd69b4>, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 4db27ca8<mailto:com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 4db27ca8>, org.springframework.security.web.authentication.logout.LogoutFilter at 5693cb71<mailto:org.springframework.security.web.authentication.logout.LogoutFilter at 5693cb71>, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter at 2fe0dfda<mailto:com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter at 2fe0dfda>, org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 38408be<mailto:org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 38408be>, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 70405950<mailto:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 70405950>, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 640564cb<mailto:com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 640564cb>, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 31abb100<mailto:com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 31abb100>, org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 2e47db4f<mailto:org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 2e47db4f>]
2021-xx-xx 12:59:01,662 [] [http-nio-8080-exec-7] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/emergency/internalLoginForm/**'], [org.springframework.security.web.header.HeaderWriterFilter at 7b486355, org.springframework.security.web.csrf.CsrfFilter at 788669db<mailto:org.springframework.security.web.csrf.CsrfFilter at 788669db>, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 1147d5b6<mailto:com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at 1147d5b6>, org.springframework.security.web.authentication.logout.LogoutFilter at 29ad491d<mailto:org.springframework.security.web.authentication.logout.LogoutFilter at 29ad491d>, com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter at 28906c98<mailto:com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter at 28906c98>, org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 4092633f<mailto:org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 4092633f>, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 9386989<mailto:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 9386989>, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 3a989faa<mailto:com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 3a989faa>, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 7c8fe846<mailto:com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 7c8fe846>, org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 25fa86ab<mailto:org.springframework.security.web.access.intercept.FilterSecurityInterceptor at 25fa86ab>]
2021-xx-xx 13:01:47,035 [] [http-nio-8080-exec-23] WARN (com.exclamationlabs.connid.base.redcarpet.driver.RedCarpetUserInvocator): method: null msg:User not found for id: connectionTest
2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource):  URL 'ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com', root DN is 'DC=myowncorp,DC=com'
2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com
2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter at 7774913d, org.springframework.security.web.csrf.CsrfFilter at 7a5d5a6e<mailto:org.springframework.security.web.csrf.CsrfFilter at 7a5d5a6e>, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at cd0a10c<mailto:com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter at cd0a10c>, org.springframework.security.web.authentication.logout.LogoutFilter at 5ffe2eb7<mailto:org.springframework.security.web.authentication.logout.LogoutFilter at 5ffe2eb7>, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter at 26ff4f05<mailto:com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter at 26ff4f05>, org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 12086a5c<mailto:org.springframework.security.web.savedrequest.RequestCacheAwareFilter at 12086a5c>, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 4645e66b<mailto:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter at 4645e66b>, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 500b50f4<mailto:com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter at 500b50f4>, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 142320f8<mailto:com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter at 142320f8>, org.springframework.security.web.access.intercept.FilterSecurityInterceptor at fe6785d<mailto:org.springframework.security.web.access.intercept.FilterSecurityInterceptor at fe6785d>]
2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]
            at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
            at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)
            at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
            at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)
            at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]
            at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
            at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
            at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
            at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
            at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>
            at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
            at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)
            at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
            at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
            at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Caused by: java.net.SocketException: Connection or outbound has closed
            at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)
            at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
            at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
            at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
            at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter): An internal error occurred while trying to authenticate the user.
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]
            at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
            at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)
            at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
            at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)
            at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]
            at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
            at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
            at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
            at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
            at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>
            at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
            at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)
            at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
            at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
            at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Caused by: java.net.SocketException: Connection or outbound has closed
            at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)
            at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
            at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
            at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
            at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
2021-xx-xx 13:58:18,242 [] [http-nio-8080-exec-20] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
            at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)
            at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)
            at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
            at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)
            at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
            at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
            at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
            at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
            at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
            at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)
Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>
            at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
            at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)
            at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
            at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
            at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
            at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
            at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
            at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
            at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
            at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
            at java.base/sun.security.validator.Validator.validate(Validator.java:264)
            at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
            at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
            at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
            at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
            at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
            at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210521/ef009cf1/attachment-0001.htm>


More information about the midPoint mailing list