2013-12-07 05:28:21.608 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 0] LdapAuthProvider.doBindAuthentication() WARNING: Can't authenticate user
javax.naming.CommunicationException: simple bind failed: myldap:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
at tigase.util.WorkerThread.run(WorkerThread.java:132)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
at tigase.util.WorkerThread.run(WorkerThread.java:132)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
at tigase.util.WorkerThread.run(WorkerThread.java:132)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
at tigase.util.WorkerThread.run(WorkerThread.java:132)
Bartosz Małkowski commented 1 decade ago
Untrusted certificate.
Possible causes:
root CA isn't added to Java truststore. Solution: add root CA to java default truststore
root CA is in truststore, but LDAP doesn't sends whole chain. For example during certificate validation client has: CA (from truststore), (missing intermediate), end-certificate (received from server). Solution: LDAP must sends all certificates from chain.
TODO:
add option to turn off certificate validation
Artur Hefczyc commented 1 decade ago
Is this bug resolved already?
Bartosz Małkowski commented 1 decade ago
Do you still have a problem with it?
Slava Bendersky commented 1 decade ago
Hello Everyone,
I will do setup in lab again, because since I reported we didn't used SSL ldap.
LDAP bind SSL not working.