Knowledge Partner
Knowledge Partner
464 views

Getting Lothar's notify driver working with LDAP/SSL

I've been beating my head against this one for long enough. I'm sure I'm
missing something, probably something obvious, but I cannot get Lothar's
driver to connect over ldaps://.

Engine trace doesn't show much, just the return (fail) from the
ECMAScript:


[03/20/12 14:27:22.129]:Notify PT:Policy returned:
[03/20/12 14:27:22.130]:Notify PT:
<nds dtdversion="3.5">
<source>
<product instance="Notify" version="3.6.10.4747">DirXML Loopback
Driver</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<status level="success" type="notification">Password Expiration
Notification<br/>
<LastRunTime>2010-04-02 00:00:37</LastRunTime>
<ThisRunTime>2012-03-20 14:27:21</ThisRunTime>
<AccountExpires>
<From>2012-03-20 14:27:21</From>
<To..>2012-04-10 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</AccountExpires>
<AccountIdle>
<From>2009-12-30 00:00:37</From>
<To..>2011-12-18 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</AccountIdle>
<Notification1>
<From>2012-03-27 14:27:21</From>
<To..>2012-04-10 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</Notification1>
<Notification2>
<From>2012-03-22 14:27:21</From>
<To..>2012-03-27 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</Notification2>
<Notification3>
<From>2012-03-20 14:27:21</From>
<To..>2012-03-22 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</Notification3>
</status>
</input>
</nds>


eDir / LDAP trace is somewhat more helpful:


14:25:20 B59C1BA0 LDAP: New TLS connection 0x15346a00 from
131.156.218.76:46055, monitor = 0xb69d1ba0, index = 2
14:25:20 B69D1BA0 LDAP: Monitor 0xb69d1ba0 initiating TLS handshake on
connection 0x15346a00
14:25:20 B60C8BA0 LDAP: (192.168.28.76:46055)(0x0000:0x00) DoTLSHandshake
on connection 0x15346a00
14:25:20 B60C8BA0 LDAP: (192.168.28.76:46055)(0x0000:0x00) TLS accept
failure 1 on connection 0x15346a00, setting err = -5875. Error stack:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown - SSL alert number 46
14:25:20 B60C8BA0 LDAP: (131.156.218.76:46055)(0x0000:0x00) TLS handshake
failed on connection 0x15346a00, err = -5875
14:25:20 B60C8BA0 LDAP: BIO ctrl called with unknown cmd 7
14:25:20 B60C8BA0 LDAP: Server closing connection 0x15346a00, socket
error = -5875
14:25:20 B60C8BA0 LDAP: Connection 0x15346a00 closed


clearly showing that it's a certificate fail (oh, yay!), but I've not
been able to figure out what it's complaining about.

The eDir tree is one of several (multi-instance) on this box, which may
or may not be a factor. I don't think it should be.

I can ldap bind using ldapsearch -x ldaps://192.168.28.76 so I'm sure
that it's possible to do so.

The LDAP server is configured to use a cert I created. It's not expired
or anything like that. I've re-created it just to be sure. The only real
change here is that on creating certs, I set the expiration to "max" (10
years), rather than leaving the default (2 years). The CA for this tree
is working fine.

The driver config says that I can leave the keystore blank, in which case
it will use the default keystore. Some research says that the default
keystore for eDirectory is here:
/opt/novell/eDirectory/lib/nds-modules/jre1.6.0_06/lib/security/cacerts

Looking in there with Java keytool, it looks to me like this only
contains a bunch of public CAs (Digikey and etc.). I don't see an entry
for the tree CA. Adding the tree CA self-signed cert to cacerts didn't
produce any change in symptoms.

The driver config also says that I can specify a keystore, which seemed
like a good idea to me. I can create a keystore with keytool, and have
imported the tree CA self-signed and public certs. I have provided the
keystore password in the driver named passwords list as well. Still, all
I can coax out of the LDAP trace is "sslv3 alert certificate unknown".

Does anybody know (or even suspect) which part of this needs to be kicked?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.
Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: Getting Lothar's notify driver working with LDAP/SSL

On 3/20/2012 4:00 PM, David Gersic wrote:
> I've been beating my head against this one for long enough. I'm sure I'm
> missing something, probably something obvious, but I cannot get Lothar's
> driver to connect over ldaps://.



Trace out the ldapSearch command call in policy...

Heck, get the pwd if you can too.

One quick check, any possibility you have the UA driver on this engine
server? You were one of the ones who found that bug right? xcd-all.jar
as the LDAP classes Lothar is using and they are broken in the
xcd-all.jar file, whereas the ones from the LDAP driver are good.


> Engine trace doesn't show much, just the return (fail) from the
> ECMAScript:
>
>
> [03/20/12 14:27:22.129]:Notify PT:Policy returned:
> [03/20/12 14:27:22.130]:Notify PT:
> <nds dtdversion="3.5">
> <source>
> <product instance="Notify" version="3.6.10.4747">DirXML Loopback
> Driver</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <status level="success" type="notification">Password Expiration
> Notification<br/>
> <LastRunTime>2010-04-02 00:00:37</LastRunTime>
> <ThisRunTime>2012-03-20 14:27:21</ThisRunTime>
> <AccountExpires>
> <From>2012-03-20 14:27:21</From>
> <To..>2012-04-10 14:27:21</To..>
> <status level="error">JavaException:
> com.novell.ldap.LDAPException: Connect Error</status>
> </AccountExpires>
> <AccountIdle>
> <From>2009-12-30 00:00:37</From>
> <To..>2011-12-18 14:27:21</To..>
> <status level="error">JavaException:
> com.novell.ldap.LDAPException: Connect Error</status>
> </AccountIdle>
> <Notification1>
> <From>2012-03-27 14:27:21</From>
> <To..>2012-04-10 14:27:21</To..>
> <status level="error">JavaException:
> com.novell.ldap.LDAPException: Connect Error</status>
> </Notification1>
> <Notification2>
> <From>2012-03-22 14:27:21</From>
> <To..>2012-03-27 14:27:21</To..>
> <status level="error">JavaException:
> com.novell.ldap.LDAPException: Connect Error</status>
> </Notification2>
> <Notification3>
> <From>2012-03-20 14:27:21</From>
> <To..>2012-03-22 14:27:21</To..>
> <status level="error">JavaException:
> com.novell.ldap.LDAPException: Connect Error</status>
> </Notification3>
> </status>
> </input>
> </nds>
>
>
> eDir / LDAP trace is somewhat more helpful:
>
>
> 14:25:20 B59C1BA0 LDAP: New TLS connection 0x15346a00 from
> 131.156.218.76:46055, monitor = 0xb69d1ba0, index = 2
> 14:25:20 B69D1BA0 LDAP: Monitor 0xb69d1ba0 initiating TLS handshake on
> connection 0x15346a00
> 14:25:20 B60C8BA0 LDAP: (192.168.28.76:46055)(0x0000:0x00) DoTLSHandshake
> on connection 0x15346a00
> 14:25:20 B60C8BA0 LDAP: (192.168.28.76:46055)(0x0000:0x00) TLS accept
> failure 1 on connection 0x15346a00, setting err = -5875. Error stack:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown - SSL alert number 46
> 14:25:20 B60C8BA0 LDAP: (131.156.218.76:46055)(0x0000:0x00) TLS handshake
> failed on connection 0x15346a00, err = -5875
> 14:25:20 B60C8BA0 LDAP: BIO ctrl called with unknown cmd 7
> 14:25:20 B60C8BA0 LDAP: Server closing connection 0x15346a00, socket
> error = -5875
> 14:25:20 B60C8BA0 LDAP: Connection 0x15346a00 closed
>
>
> clearly showing that it's a certificate fail (oh, yay!), but I've not
> been able to figure out what it's complaining about.
>
> The eDir tree is one of several (multi-instance) on this box, which may
> or may not be a factor. I don't think it should be.
>
> I can ldap bind using ldapsearch -x ldaps://192.168.28.76 so I'm sure
> that it's possible to do so.
>
> The LDAP server is configured to use a cert I created. It's not expired
> or anything like that. I've re-created it just to be sure. The only real
> change here is that on creating certs, I set the expiration to "max" (10
> years), rather than leaving the default (2 years). The CA for this tree
> is working fine.
>
> The driver config says that I can leave the keystore blank, in which case
> it will use the default keystore. Some research says that the default
> keystore for eDirectory is here:
> /opt/novell/eDirectory/lib/nds-modules/jre1.6.0_06/lib/security/cacerts
>
> Looking in there with Java keytool, it looks to me like this only
> contains a bunch of public CAs (Digikey and etc.). I don't see an entry
> for the tree CA. Adding the tree CA self-signed cert to cacerts didn't
> produce any change in symptoms.
>
> The driver config also says that I can specify a keystore, which seemed
> like a good idea to me. I can create a keystore with keytool, and have
> imported the tree CA self-signed and public certs. I have provided the
> keystore password in the driver named passwords list as well. Still, all
> I can coax out of the LDAP trace is "sslv3 alert certificate unknown".
>
> Does anybody know (or even suspect) which part of this needs to be kicked?
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Getting Lothar's notify driver working with LDAP/SSL

On Tue, 20 Mar 2012 20:28:00 +0000, Geoffrey Carman wrote:

> Trace out the ldapSearch command call in policy...


The xpath call? There's nothing special or interesting there.


> Heck, get the pwd if you can too.


No need. It's not getting that far.


> One quick check, any possibility you have the UA driver on this engine
> server? You were one of the ones who found that bug right? xcd-all.jar


Yeah, that was me. And no, xcd-all.jar has been removed, so it's not in
the way.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Lothar's notify driver working with LDAP/SSL

On 3/20/2012 4:00 PM, David Gersic wrote:
> Adding the tree CA self-signed cert to cacerts didn't
> produce any change in symptoms.
>


Not to insult your intelligence, but did you use the trustcacerts option when importing?

0 Likes
Knowledge Partner
Knowledge Partner

Re: Getting Lothar's notify driver working with LDAP/SSL

On Tue, 20 Mar 2012 21:19:27 +0000, Will Schneider wrote:

> On 3/20/2012 4:00 PM, David Gersic wrote:
>> Adding the tree CA self-signed cert to cacerts didn't produce any
>> change in symptoms.
>>
>>

> Not to insult your intelligence, but did you use the trustcacerts option
> when importing?


No insult needed, Will. I'd be happy if that's all I missed. To be
honest, I don't remember if I did that or not.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Lothar's notify driver working with LDAP/SSL

if you do a keytool -v -list on the keystore you should be able to see if it is marked as a trusted CA.


On 3/22/2012 9:00 AM, David Gersic wrote:
> On Tue, 20 Mar 2012 21:19:27 +0000, Will Schneider wrote:
>
>> On 3/20/2012 4:00 PM, David Gersic wrote:
>>> Adding the tree CA self-signed cert to cacerts didn't produce any
>>> change in symptoms.
>>>
>>>

>> Not to insult your intelligence, but did you use the trustcacerts option
>> when importing?

>
> No insult needed, Will. I'd be happy if that's all I missed. To be
> honest, I don't remember if I did that or not.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Getting Lothar's notify driver working with LDAP/SSL

On Thu, 22 Mar 2012 18:49:19 +0000, Will Schneider wrote:

> if you do a keytool -v -list on the keystore you should be able to see
> if it is marked as a trusted CA.


Well, I've now done it both ways, with and without -trustcacerts, and
that didn't make a difference. Watching the connection with wireshark,
the server isn't sending any Server Certificate in the TLS handshake,
which is weird because it's supposed to from the documentation I've been
reading.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Lothar's notify driver working with LDAP/SSL

hmmm, TLS v LDAPS
If you use LDAPS that flips to 636 right?
And if you use TLS that is 389. Maybe it is something simple like mixing the two.

On 3/23/2012 8:30 AM, David Gersic wrote:
> On Thu, 22 Mar 2012 18:49:19 +0000, Will Schneider wrote:
>
>> if you do a keytool -v -list on the keystore you should be able to see
>> if it is marked as a trusted CA.

>
> Well, I've now done it both ways, with and without -trustcacerts, and
> that didn't make a difference. Watching the connection with wireshark,
> the server isn't sending any Server Certificate in the TLS handshake,
> which is weird because it's supposed to from the documentation I've been
> reading.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Getting Lothar's notify driver working with LDAP/SSL

On Mon, 26 Mar 2012 18:43:47 +0000, Will Schneider wrote:

> hmmm, TLS v LDAPS


To be pedantic, ldaps is just ldap with a TLS handshake added so that the
connection is secure.


> If you use LDAPS that flips to 636 right? And if you use TLS that is
> 389. Maybe it is something simple like mixing the two.


Both are going to 636. 389 is disabled.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Lothar's notify driver working with LDAP/SSL

On 3/27/12 12:00 PM, David Gersic wrote:
>> hmmm, TLS v LDAPS

> To be pedantic, ldaps is just ldap with a TLS handshake added so that the
> connection is secure.
>
>


TLS is really just SSL v3.1, and LDAPS will use either one, depending on
the negotiation between client and server before either one starts
talking LDAP.

STARTTLS (often mistakenly called just TLS, which causes IMHO a lot of
unnecessary confusion), is an LDAP extension that allows a client with
an established non SSL/TLS LDAP connection to request that the
conversation continue using TLS until an ENDTLS request switches the
conversation back. One might use this when only part of the conversation
is sensitive (like the initial authentication) and is unnecessary
overhead for the rest of the conversation. In practice, most programs
that offer it as an option, turn it on right away and leave it on,
making it kind of a silly option other than that some servers may
support either LDAPS STARTTLS but not the other, or a firewall only
allows one of the ports.

--
Shon
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Getting Lothar's notify driver working with LDAP/SSL

They can't both be going to 636 I don't think.....
If LDAPS is listening on 636 then every connection to it will be LDAPS.
TLS runs on 389.

On 3/27/2012 1:00 PM, David Gersic wrote:
> On Mon, 26 Mar 2012 18:43:47 +0000, Will Schneider wrote:
>
>> hmmm, TLS v LDAPS

>
> To be pedantic, ldaps is just ldap with a TLS handshake added so that the
> connection is secure.
>
>
>> If you use LDAPS that flips to 636 right? And if you use TLS that is
>> 389. Maybe it is something simple like mixing the two.

>
> Both are going to 636. 389 is disabled.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Getting Lothar's notify driver working with LDAP/SSL

On Tue, 20 Mar 2012 20:00:01 +0000, David Gersic wrote:

> I've been beating my head against this one for long enough. I'm sure I'm
> missing something, probably something obvious


I'm not there yet, but I think I see daylight at the end of this tunnel.


> The eDir tree is one of several (multi-instance) on this box, which may
> or may not be a factor. I don't think it should be.


If I've got this right, it's not multi-instance, it's that this is a
cluster node, where the instance may or may not have been installed while
on *this* node. During install, the tree's CA self signed certificate is
inserted in to the cacerts file. That, of course, doesn't travel between
cluster nodes, it's specific to the node it was installed on.

Worse, it looks like cacerts is located as $JAVA_HOME/lib/security/cacerts
If JAVA_HOME is different between nodes, you get interesting results.
And, there are at least three cacerts files on each node, some have four:

/opt/novell/eDirectory/lib/nds-modules/embox/jre/lib/security/cacerts
/opt/novell/eDirectory/lib/nds-modules/jre1.6.0_06/lib/security/cacerts
/opt/novell/jdk1.6.0_13/jre/lib/security/cacerts
/usr/java/jre1.6.0_18/lib/security/cacerts

Want to guess which is the "right" one? That seems to depend, on what I
don't know. It doesn't look like the .../embox/... one is ever used. But
I have some tree CA selfsigned certs showing up in .../nds-modules/...
and some in .../jre/lib/security and some in /usr/java/....

So, the results of this are rather ugly. I'm going to have to clean up
the Java mess here, then retest.

One other thing I've learned is that setting the certificate store path
in Lothar's driver may not be a good idea at all. He calls
system.setProperty() to set the path to the certificate store. This sets
it *for* *the* *Jvm*. All of the Jvm. And it stays set until you set it
again to some other value, or restart the Jvm. There doesn't seem to be
any way to get the current setting of this property, nor any way to
revert to the default value.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.