[Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...

Michael Sean Conley Michael.Sean.Conley at raytheon.com
Fri Aug 12 17:13:56 UTC 2016 


So, having some fun today, trying to get a javascript in a docker container
to speak to FreeIPA via LDAPS.
I made sure that the key was inserted into the store,
(aba-idam:/etc/ipa/ca.crt), and ensured that an ldap user was created for
ldap binding (coincidentally I used "binding").
I also added a user in ipa called ddfusr, and set its password, and logged
in via kinit to ensure that we could check it.  it is available, and is
able to log in and getent its information, not to mention I can see it has
Kerberos info and all that jazz.

So, based on the ldif, we entered the data we expect to be able to log in
with into the java script.  And so we get back an error=32.

What am I missing here?

Information included here:

LDASEARCH RESPONSE binding
# ldapsearch -x uid=binding
	# extended LDIF
	#
	# LDAPv3
	# base <dc=aba,dc=house,dc=com> (default) with scope subtree
	# filter: uid=binding
	# requesting: ALL
	#

	# search result
	search: 2
	result: 0 Success

	# numResponses: 1

LDAPSEARCH RESPONSE ddfusr
# ldapsearch -x uid=ddfusr
	# extended LDIF
	#
	# LDAPv3
	# base <dc=aba,dc=house,dc=com> (default) with scope subtree
	# filter: uid=ddfusr
	# requesting: ALL
	#

	# ddfusr, users, compat, aba.house.com
	dn: uid=ddfusr,cn=users,cn=compat,dc=aba,dc=house,dc=com
	cn: ddf user
	objectClass: posixAccount
	objectClass: top
	gidNumber: 1043600007
	gecos: ddf user
	uidNumber: 1043600007
	loginShell: /bin/sh
	homeDirectory: /home/ddfusr
	uid: ddfusr

	# ddfusr, users, accounts, aba.house.com
	dn: uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=house,dc=com
	displayName: ddf user
	uid: ddfusr
	objectClass: ipaobject
	objectClass: person
	objectClass: top
	objectClass: ipasshuser
	objectClass: inetorgperson
	objectClass: organizationalperson
	objectClass: krbticketpolicyaux
	objectClass: krbprincipalaux
	objectClass: inetuser
	objectClass: posixaccount
	objectClass: ipaSshGroupOfPubKeys
	objectClass: mepOriginEntry
	objectClass: ipauserauthtypeclass
	loginShell: /bin/sh
	initials: du
	gecos: ddf user
	sn: user
	homeDirectory: /home/ddfusr
	givenName: ddf
	cn: ddf user
	uidNumber: 1043600007
	gidNumber: 1043600007

	# search result
	search: 2
	result: 0 Success

	# numResponses: 3
	# numEntries: 2

KLIST RESPONSE
# klist
	Ticket cache: KEYRING:persistent:0:krb_ccache_wtB5z4N
	Default principal: ddfusr at ABA.HOUSE.COM

	Valid starting       Expires              Service principal
	08/12/2016 11:56:17  08/13/2016 11:56:14
krbtgt/ABA.HOUSE.COM at ABA.HOUSE.COM


GETENT RESPONSE
# getent passwd ddfusr
	ddfusr:*:1043600007:1043600007:ddf user:/home/ddfusr:/bin/sh


LDAP-MODULE.XML
	<jaas:config name="karaf" rank="1">
		<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
					flags="required">
		  initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
		  connection.username=cn=binding
		  connection.password=password!
		  connection.url=ldaps://aba-idam.aba.house.com:636
		  user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com
		  user.filter=(uid=%u)
		  user.search.subtree=true
		  role.base.dn=cn=JBoss,dc=aba,dc=house,dc=com
		  role.name.attribute=cn
		  role.filter=
(member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com)
		  role.search.subtree=true
		  role.mapping=admin=group,admin,manager,viewer,webconsole
		  authentication=simple
		  ssl.protocol=SSL
		  ssl.truststore=truststore
		  ssl.algorithm=PKIX
		</jaas:module>
	</jaas:config>

	<jaas:keystore name="truststore"
			path="file:${javax.net.ssl.trustStore}"
			keystorePassword="${javax.net.ssl.trustStorePassword}" />

JAVA LOG FILE:
	2016-08-12 11:10:27,174 | WARN  | d]-nio2-thread-5 | LDAPLoginModule
| 116 - org.apache.karaf.jaas.modules - 4.0.4 | Can't connect to the LDAP
server: [LDAP: error code 32 - No Such Object]
	javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
Object]
			at com.sun.jndi.ldap.LdapClient.authenticate
(LdapClient.java:295)[:1.8.0_65]
			at com.sun.jndi.ldap.LdapCtx.connect
(LdapCtx.java:2788)[:1.8.0_65]
			at com.sun.jndi.ldap.LdapCtx.<init>
(LdapCtx.java:319)[:1.8.0_65]
			at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL
(LdapCtxFactory.java:192)[:1.8.0_65]
			at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs
(LdapCtxFactory.java:210)[:1.8.0_65]
			at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance
(LdapCtxFactory.java:153)[:1.8.0_65]
			at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext
(LdapCtxFactory.java:83)[:1.8.0_65]
			at javax.naming.spi.NamingManager.getInitialContext
(NamingManager.java:684)
			at javax.naming.InitialContext.getDefaultInitCtx
(InitialContext.java:313)[:1.8.0_65]
			at javax.naming.InitialContext.init
(InitialContext.java:244)[:1.8.0_65]
			at javax.naming.InitialContext.<init>
(InitialContext.java:216)[:1.8.0_65]
			at javax.naming.directory.InitialDirContext.<init>
(InitialDirContext.java:101)[:1.8.0_65]
			at org.apache.karaf.jaas.modules.ldap.LDAPCache.open
(LDAPCache.java:113)[116:org.apache.karaf.jaas.modules:4.0.4]
			at
org.apache.karaf.jaas.modules.ldap.LDAPCache.doGetUserDnAndNamespace
(LDAPCache.java:147)[116:org.apache.karaf.jaas.modules:4.0.4]
			at
org.apache.karaf.jaas.modules.ldap.LDAPCache.getUserDnAndNamespace
(LDAPCache.java:138)[116:org.apache.karaf.jaas.modules:4.0.4]
			at
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin
(LDAPLoginModule.java:110)[116:org.apache.karaf.jaas.modules:4.0.4]
			at
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login
(LDAPLoginModule.java:54)[116:org.apache.karaf.jaas.modules:4.0.4]
			at org.apache.karaf.jaas.boot.ProxyLoginModule.login
(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.4.jar:]
			at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)[:1.8.0_65]
			at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:62)[:1.8.0_65]
			at sun.reflect.DelegatingMethodAccessorImpl.invoke
(DelegatingMethodAccessorImpl.java:43)[:1.8.0_65]
			at java.lang.reflect.Method.invoke
(Method.java:497)[:1.8.0_65]
			at javax.security.auth.login.LoginContext.invoke
(LoginContext.java:755)[:1.8.0_65]
			at javax.security.auth.login.LoginContext.access$000
(LoginContext.java:195)[:1.8.0_65]
			at javax.security.auth.login.LoginContext$4.run
(LoginContext.java:682)[:1.8.0_65]
			at javax.security.auth.login.LoginContext$4.run
(LoginContext.java:680)[:1.8.0_65]
			at java.security.AccessController.doPrivileged(Native
Method)[:1.8.0_65]
			at javax.security.auth.login.LoginContext.invokePriv
(LoginContext.java:680)[:1.8.0_65]
			at javax.security.auth.login.LoginContext.login
(LoginContext.java:587)[:1.8.0_65]
			at
org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate
(KarafJaasAuthenticator.java:78)
			at
org.apache.sshd.server.auth.UserAuthKeyboardInteractive.checkPassword
(UserAuthKeyboardInteractive.java:75)[1:org.apache.sshd.core:0.14.0]
			at
org.apache.sshd.server.auth.UserAuthKeyboardInteractive.doAuth
(UserAuthKeyboardInteractive.java:68)[1:org.apache.sshd.core:0.14.0]
			at org.apache.sshd.server.auth.AbstractUserAuth.next
(AbstractUserAuth.java:53)[1:org.apache.sshd.core:0.14.0]
			at
org.apache.sshd.server.session.ServerUserAuthService.process
(ServerUserAuthService.java:159)[1:org.apache.sshd.core:0.14.0]
			at
org.apache.sshd.common.session.AbstractSession.doHandleMessage
(AbstractSession.java:431)[1:org.apache.sshd.core:0.14.0]
			at
org.apache.sshd.common.session.AbstractSession.handleMessage
(AbstractSession.java:326)[1:org.apache.sshd.core:0.14.0]
			at org.apache.sshd.common.session.AbstractSession.decode
(AbstractSession.java:780)[1:org.apache.sshd.core:0.14.0]
			at
org.apache.sshd.common.session.AbstractSession.messageReceived
(AbstractSession.java:308)[1:org.apache.sshd.core:0.14.0]
			at
org.apache.sshd.common.AbstractSessionIoHandler.messageReceived
(AbstractSessionIoHandler.java:54)[1:org.apache.sshd.core:0.14.0]
			at org.apache.sshd.common.io.nio2.Nio2Session
$1.onCompleted(Nio2Session.java:184)[1:org.apache.sshd.core:0.14.0]
			at org.apache.sshd.common.io.nio2.Nio2Session
$1.onCompleted(Nio2Session.java:170)[1:org.apache.sshd.core:0.14.0]
			at org.apache.sshd.common.io.nio2.Nio2CompletionHandler
$1.run(Nio2CompletionHandler.java:32)
			at java.security.AccessController.doPrivileged(Native
Method)[:1.8.0_65]
			at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed
(Nio2CompletionHandler.java:30)[1:org.apache.sshd.core:0.14.0]
			at sun.nio.ch.Invoker.invokeUnchecked
(Invoker.java:126)[:1.8.0_65]
			at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.8.0_65]
			at sun.nio.ch.AsynchronousChannelGroupImpl$1.run
(AsynchronousChannelGroupImpl.java:112)[:1.8.0_65]
			at java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java:1142)[:1.8.0_65]
			at java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java:617)[:1.8.0_65]
			at java.lang.Thread.run(Thread.java:745)[:1.8.0_65]


RH IDM ACCESS LOG FILE
	[12/Aug/2016:11:05:34 -0500] conn=850 fd=112 slot=112 SSL connection
from 172.17.4.64 to 172.17.4.20
	[12/Aug/2016:11:05:34 -0500] conn=850 TLS1.2 256-bit AES-GCM
	[12/Aug/2016:11:05:34 -0500] conn=850 op=0 BIND dn="cn=binding"
method=128 version=3
	[12/Aug/2016:11:05:34 -0500] conn=850 op=0 RESULT err=32 tag=97
nentries=0 etime=0
	[12/Aug/2016:11:05:34 -0500] conn=850 op=-1 fd=112 closed - B1

Michael Sean Conley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160812/28682916/attachment.htm>

More information about the Freeipa-users mailing list