ldapSearchWithTLS from NOVLLIBLDAP-JS

Hi,

...anyone got this to work?

ldapSearch from NOVLLIBLDAP-JS (4.8.1) works like a charm... but not ldapSearchWithTLS...

<do-set-local-variable name="edir" scope="policy">
<arg-node-set>
<token-xpath expression="es:ldapSearchWithTLS($edir-driver-ldap-ip, $edir-driver-ldap-port, $edir-user-dn, $edir-user-password, $edir-base, 'sub', 'cn=johndoe', 'mail,shoeSize', $cert-path)"/>
</arg-node-set>
</do-set-local-variable>

...as soon as I run it the driver gets completely stuck...any special form required for $cert-path?

Thanks, Norman

  • Hi Norman,
    I use Lothar's version of LDAP ECMA from the Password Notification driver.
    It works better for me than NOVLLIBLDAP-JS version.
  • I also use Lothar’s script.
    Cert path format is platform specific.

    Aside from that one thing that has really bit me before is that neither script behaves nicely with TLS if you have a bidirectional edir driver running on same engine server (maybe also regular ldap driver). To verify this disable bidir driver & restart edir. It should work under that setup. To fix this requires some minor tweaks to script.
  • Hi Norman,

    I've had problems with the DCS driver stalling when processing dynamic groups (Bug 1114903 - DCS driver hangs in function “Convert memberQuery to memberQueryURL (LDAP string) format”). That problem went away when I implemented the following changes in NOVLLIBLDAP-JS:

     - comment out lc.stopTLS() in ldapSearchWithTLS as the connection is being dropped anyway:

    // Stop the TLS protocol - not needed as the connection is closed anyway // lc.stopTLS(); // disconnect with the server lc.disconnect();

    From https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/LDAPConnection.html#stopTLS()

    Note: The Sun and IBM implementions of JSSE do not currently allow stopping TLS on an open Socket. In order to produce the same results this method currently disconnects the socket and reconnects, giving the application an anonymous connection to the server, as required by StopTLS.

     

    - add a socket timeout and timelimits:

    var lc = new LDAPConnection(new LDAPJSSEStartTLSFactory()); lc.setSocketTimeOut(3000); var constraints = lc.getConstraints() constraints.setTimeLimit(30000) lc.setConstraints(constraints) // connect and bind to the server lc.connect( host, port );

     

  • Hi,

    Thanks, I switched to the script provided by Lothar (1.0.9.20160407105251 / bh_LdapSearch) and followed as well the recommendations by Norbert… and finally it all works quite smooth against eDir (in my lab), but of course I need it as well against AD… anyone done this?

    ... here it always results in…

    [05/28/20 15:04:39.707]:AD-DRV ST: bh_LdapSearch: usetls = true
    [05/28/20 15:04:39.708]:AD-DRV ST: bh_LdapSearch: keystore = /var/opt/novell/security/cacerts-ad-tls
    [05/28/20 15:04:39.708]:AD-DRV ST: bh_LdapSearch: keypass = changeit
    [05/28/20 15:04:39.709]:AD-DRV ST: bh_LdapSearch: Preparing new TLS/SSL connection.
    [05/28/20 15:04:39.709]:AD-DRV ST: bh_LdapSearch: Limit search results to max. 0
    [05/28/20 15:04:39.710]:AD-DRV ST: bh_LdapSearch: Connecting to dc.domain.local:636
    [05/28/20 15:04:39.767]:AD-DRV ST: bh_LdapSearch: Binding as user CN=sanovell,OU=ServiceAccount,OU=Technical,DC=domain,DC=local
    [05/28/20 15:04:39.768]:AD-DRV ST: bh_LdapSearch: with password mypass
    [05/28/20 15:04:39.789]:AD-DRV ST: bh_LdapSearch: JavaException: com.novell.ldap.InterThreadException: Connect Error
    [05/28/20 15:04:39.790]:AD-DRV ST: bh_LdapSearch: Disconnecting from server.
    [05/28/20 15:04:39.790]:AD-DRV ST: Token Value: {<status> @level = "error"}.
    [05/28/20 15:04:39.791]:AD-DRV ST: Arg Value: {<status> @level = "error"}.
    [05/28/20 15:04:39.791]:AD-DRV ST:

    - credentials are o.k. / successful bind without TLS
    - cert chain is fine, in cacerts-ad-tls
    - dc.domain.local accepts LDAPS, verified with Apache Dir Studio

    ...any idea?

    Regards,
    Norman

  • The issue I saw with BiDirectional Edirectory driver was related to attempting plaintext auth whilst the BiDir driver was doing SSL. The ECMAScript 's LDAP Connection was defaulting to a socket factory from BiDir driver code.

    I had to add a line that explicitly cleared this default value prior to connecting.

    LDAPConnection.setSocketFactory(null); 
    var lc = new LDAPConnection();

     

  • Just to rule something out.

    keep usetls = starttls and change port from 636 to 389

    If I recall correctly, the script uses two different socket factories depending on whether you specify usetls=true or usetls=startls.

    Other than that. It most likely is your keystore.

  • thanks, tried as well StartTLS, no success... ( and yes, you are right, most likely it is either my keystore or the cert chain)... are you aware of any debug switches that may be used with LDAPJSSESecureSocketFactory?

    Regards,

    Norman 

  • I use https://github.com/klasen/sslpoke for investigating TLS connection issues. The readme lists all the Java debug switches.

  • Just ran into this as well. If a bi-dir eDirectory driver is set to not “Always accept server certificate” it calls LDAPConnection.setSocketFactory() to set com.novell.nds.dirxml.driver.edir.LDAPInterface$DriverSocketFactory gloablly instead of just using the socket factory on its instances of LDAPConnection.

  • Hi Norbert,



    Thanks, let me check my customers system. I fear I have this as situation as
    well, I will let you know my findings.



    Regards,

    Norman