Results 1 to 2 of 2

Thread: External LDAP Auth with TLS

  1. #1
    bvsantos is offline Starter Member
    Join Date
    May 2008
    Posts
    2
    Rep Power
    7

    Default External LDAP Auth with TLS

    Hi all.

    first, i must say Zimbra CS is amazing.

    Now, i'm trying to configure external ldap auth, but i have a problem.
    My ldap server uses TLS (not SSL) and i need to tell zimbra to use the certificate, but i dont know where to configure it.

    LDAP Server details:
    Summary of authentication settings:
    Authentication mechanism:
    External LDAP
    AD domain name:
    LDAP URL:
    LDAP URL:
    ldap://server.domain.pt:389
    LDAP filter:
    (uid=%u,ou=People)
    LDAP search base:
    dc=domain,dc=pt
    Use DN/Password to bind to external server:
    Yes
    Bind DN:
    cn=Manager,dc=domain,dc=pt


    Everytime i try to configure LDAP Auth, i get the following errors:
    (without SSL - when performing the test)

    Authentication test failed
    Server message:
    Authentication flavor not supported. LDAP server probably configured to not allow passwords.
    Code:
    javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required]
    	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
    	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
    	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
    	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
    	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
    	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    	at javax.naming.InitialContext.init(InitialContext.java:223)
    	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
    	at com.zimbra.cs.account.ldap.LdapUtil.getDirContext(LdapUtil.java:323)
    	at com.zimbra.cs.account.ldap.LdapUtil.getDirContext(LdapUtil.java:273)
    	at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthenticate(LdapUtil.java:360)
    	at com.zimbra.cs.account.ldap.Check.checkAuthConfig(Check.java:153)
    	at com.zimbra.cs.service.admin.CheckAuthConfig.handle(CheckAuthConfig.java:46)
    	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:391)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:250)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:156)
    	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:266)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:187)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
    	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
    	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
    	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
    	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
    	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
    	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
    	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
    	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
    	at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:315)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
    	at org.mortbay.jetty.Server.handle(Server.java:313)
    	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
    	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
    	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
    	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
    	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
    	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
    	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

    When configuring with SSL (server is not using):
    Authentication test failed
    Server message:
    SSL connect problem, most likely untrusted certificate
    Code:
    javax.naming.CommunicationException: simple bind failed: server.domain.pt:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
    	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
    	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
    	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
    	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    	at javax.naming.InitialContext.init(InitialContext.java:223)
    	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
    	at com.zimbra.cs.account.ldap.LdapUtil.getDirContext(LdapUtil.java:323)
    	at com.zimbra.cs.account.ldap.LdapUtil.getDirContext(LdapUtil.java:273)
    	at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthenticate(LdapUtil.java:360)
    	at com.zimbra.cs.account.ldap.Check.checkAuthConfig(Check.java:153)
    	at com.zimbra.cs.service.admin.CheckAuthConfig.handle(CheckAuthConfig.java:46)
    	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:391)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:250)
    	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:156)
    	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:266)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:187)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
    	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
    	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
    	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
    	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
    	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
    	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
    	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
    	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
    	at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:315)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
    	at org.mortbay.jetty.Server.handle(Server.java:313)
    	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
    	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
    	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
    	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
    	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
    	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
    	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
    	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
    	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
    	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:393)
    	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
    	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
    	... 45 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
    	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
    	at sun.security.validator.Validator.validate(Validator.java:218)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
    	... 57 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    I know i need to put the server certificate somewhere in the server, but where?

    PS: My server is already configured with LDAP and recognizes all my users.

    Cheers

  2. #2
    tross is offline Intermediate Member
    Join Date
    Feb 2008
    Location
    San Luis Obispo, CA
    Posts
    16
    Rep Power
    7

    Default

    I don't know if this will help, but we CASified our Zimbra test system using the following instructions:

    CASifying Zimbra - Central Authentication Service - JA-SIG Wiki

    It may help you determine the placement for your certificates.

    I'm no security/certificate expert, but hopefully that will help out some.

    Good luck!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. External Ldap AUTH
    By charlesr in forum Administrators
    Replies: 0
    Last Post: 10-26-2007, 09:01 AM
  2. Zimbra + Samba LDAP auth problems
    By fajarpri in forum Installation
    Replies: 3
    Last Post: 07-04-2007, 11:39 PM
  3. External LDAP Problem
    By facerw in forum Installation
    Replies: 7
    Last Post: 05-08-2007, 04:29 AM
  4. Zimbra External LDAP auth
    By Vintik in forum Migration
    Replies: 3
    Last Post: 01-30-2007, 02:25 AM
  5. LDAP External Auth Fedora Directory Services
    By prpatrol in forum Administrators
    Replies: 3
    Last Post: 08-14-2006, 06:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •