[Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...
Michael Sean Conley
Michael.Sean.Conley at raytheon.com
Fri Aug 12 17:13:56 UTC 2016
So, having some fun today, trying to get a javascript in a docker container
to speak to FreeIPA via LDAPS.
I made sure that the key was inserted into the store,
(aba-idam:/etc/ipa/ca.crt), and ensured that an ldap user was created for
ldap binding (coincidentally I used "binding").
I also added a user in ipa called ddfusr, and set its password, and logged
in via kinit to ensure that we could check it. it is available, and is
able to log in and getent its information, not to mention I can see it has
Kerberos info and all that jazz.
So, based on the ldif, we entered the data we expect to be able to log in
with into the java script. And so we get back an error=32.
What am I missing here?
Information included here:
LDASEARCH RESPONSE binding
# ldapsearch -x uid=binding
# extended LDIF
#
# LDAPv3
# base <dc=aba,dc=house,dc=com> (default) with scope subtree
# filter: uid=binding
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
LDAPSEARCH RESPONSE ddfusr
# ldapsearch -x uid=ddfusr
# extended LDIF
#
# LDAPv3
# base <dc=aba,dc=house,dc=com> (default) with scope subtree
# filter: uid=ddfusr
# requesting: ALL
#
# ddfusr, users, compat, aba.house.com
dn: uid=ddfusr,cn=users,cn=compat,dc=aba,dc=house,dc=com
cn: ddf user
objectClass: posixAccount
objectClass: top
gidNumber: 1043600007
gecos: ddf user
uidNumber: 1043600007
loginShell: /bin/sh
homeDirectory: /home/ddfusr
uid: ddfusr
# ddfusr, users, accounts, aba.house.com
dn: uid=ddfusr,cn=users,cn=accounts,dc=aba,dc=house,dc=com
displayName: ddf user
uid: ddfusr
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipauserauthtypeclass
loginShell: /bin/sh
initials: du
gecos: ddf user
sn: user
homeDirectory: /home/ddfusr
givenName: ddf
cn: ddf user
uidNumber: 1043600007
gidNumber: 1043600007
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
KLIST RESPONSE
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_wtB5z4N
Default principal: ddfusr at ABA.HOUSE.COM
Valid starting Expires Service principal
08/12/2016 11:56:17 08/13/2016 11:56:14
krbtgt/ABA.HOUSE.COM at ABA.HOUSE.COM
GETENT RESPONSE
# getent passwd ddfusr
ddfusr:*:1043600007:1043600007:ddf user:/home/ddfusr:/bin/sh
LDAP-MODULE.XML
<jaas:config name="karaf" rank="1">
<jaas:module
className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username=cn=binding
connection.password=password!
connection.url=ldaps://aba-idam.aba.house.com:636
user.base.dn=cn=users,cn=accounts,dc=aba,dc=house,dc=com
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=cn=JBoss,dc=aba,dc=house,dc=com
role.name.attribute=cn
role.filter=
(member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com)
role.search.subtree=true
role.mapping=admin=group,admin,manager,viewer,webconsole
authentication=simple
ssl.protocol=SSL
ssl.truststore=truststore
ssl.algorithm=PKIX
</jaas:module>
</jaas:config>
<jaas:keystore name="truststore"
path="file:${javax.net.ssl.trustStore}"
keystorePassword="${javax.net.ssl.trustStorePassword}" />
JAVA LOG FILE:
2016-08-12 11:10:27,174 | WARN | d]-nio2-thread-5 | LDAPLoginModule
| 116 - org.apache.karaf.jaas.modules - 4.0.4 | Can't connect to the LDAP
server: [LDAP: error code 32 - No Such Object]
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
Object]
at com.sun.jndi.ldap.LdapClient.authenticate
(LdapClient.java:295)[:1.8.0_65]
at com.sun.jndi.ldap.LdapCtx.connect
(LdapCtx.java:2788)[:1.8.0_65]
at com.sun.jndi.ldap.LdapCtx.<init>
(LdapCtx.java:319)[:1.8.0_65]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL
(LdapCtxFactory.java:192)[:1.8.0_65]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs
(LdapCtxFactory.java:210)[:1.8.0_65]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance
(LdapCtxFactory.java:153)[:1.8.0_65]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext
(LdapCtxFactory.java:83)[:1.8.0_65]
at javax.naming.spi.NamingManager.getInitialContext
(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx
(InitialContext.java:313)[:1.8.0_65]
at javax.naming.InitialContext.init
(InitialContext.java:244)[:1.8.0_65]
at javax.naming.InitialContext.<init>
(InitialContext.java:216)[:1.8.0_65]
at javax.naming.directory.InitialDirContext.<init>
(InitialDirContext.java:101)[:1.8.0_65]
at org.apache.karaf.jaas.modules.ldap.LDAPCache.open
(LDAPCache.java:113)[116:org.apache.karaf.jaas.modules:4.0.4]
at
org.apache.karaf.jaas.modules.ldap.LDAPCache.doGetUserDnAndNamespace
(LDAPCache.java:147)[116:org.apache.karaf.jaas.modules:4.0.4]
at
org.apache.karaf.jaas.modules.ldap.LDAPCache.getUserDnAndNamespace
(LDAPCache.java:138)[116:org.apache.karaf.jaas.modules:4.0.4]
at
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin
(LDAPLoginModule.java:110)[116:org.apache.karaf.jaas.modules:4.0.4]
at
org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login
(LDAPLoginModule.java:54)[116:org.apache.karaf.jaas.modules:4.0.4]
at org.apache.karaf.jaas.boot.ProxyLoginModule.login
(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.4.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)[:1.8.0_65]
at sun.reflect.NativeMethodAccessorImpl.invoke
(NativeMethodAccessorImpl.java:62)[:1.8.0_65]
at sun.reflect.DelegatingMethodAccessorImpl.invoke
(DelegatingMethodAccessorImpl.java:43)[:1.8.0_65]
at java.lang.reflect.Method.invoke
(Method.java:497)[:1.8.0_65]
at javax.security.auth.login.LoginContext.invoke
(LoginContext.java:755)[:1.8.0_65]
at javax.security.auth.login.LoginContext.access$000
(LoginContext.java:195)[:1.8.0_65]
at javax.security.auth.login.LoginContext$4.run
(LoginContext.java:682)[:1.8.0_65]
at javax.security.auth.login.LoginContext$4.run
(LoginContext.java:680)[:1.8.0_65]
at java.security.AccessController.doPrivileged(Native
Method)[:1.8.0_65]
at javax.security.auth.login.LoginContext.invokePriv
(LoginContext.java:680)[:1.8.0_65]
at javax.security.auth.login.LoginContext.login
(LoginContext.java:587)[:1.8.0_65]
at
org.apache.karaf.shell.ssh.KarafJaasAuthenticator.authenticate
(KarafJaasAuthenticator.java:78)
at
org.apache.sshd.server.auth.UserAuthKeyboardInteractive.checkPassword
(UserAuthKeyboardInteractive.java:75)[1:org.apache.sshd.core:0.14.0]
at
org.apache.sshd.server.auth.UserAuthKeyboardInteractive.doAuth
(UserAuthKeyboardInteractive.java:68)[1:org.apache.sshd.core:0.14.0]
at org.apache.sshd.server.auth.AbstractUserAuth.next
(AbstractUserAuth.java:53)[1:org.apache.sshd.core:0.14.0]
at
org.apache.sshd.server.session.ServerUserAuthService.process
(ServerUserAuthService.java:159)[1:org.apache.sshd.core:0.14.0]
at
org.apache.sshd.common.session.AbstractSession.doHandleMessage
(AbstractSession.java:431)[1:org.apache.sshd.core:0.14.0]
at
org.apache.sshd.common.session.AbstractSession.handleMessage
(AbstractSession.java:326)[1:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.session.AbstractSession.decode
(AbstractSession.java:780)[1:org.apache.sshd.core:0.14.0]
at
org.apache.sshd.common.session.AbstractSession.messageReceived
(AbstractSession.java:308)[1:org.apache.sshd.core:0.14.0]
at
org.apache.sshd.common.AbstractSessionIoHandler.messageReceived
(AbstractSessionIoHandler.java:54)[1:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.io.nio2.Nio2Session
$1.onCompleted(Nio2Session.java:184)[1:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.io.nio2.Nio2Session
$1.onCompleted(Nio2Session.java:170)[1:org.apache.sshd.core:0.14.0]
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler
$1.run(Nio2CompletionHandler.java:32)
at java.security.AccessController.doPrivileged(Native
Method)[:1.8.0_65]
at
org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed
(Nio2CompletionHandler.java:30)[1:org.apache.sshd.core:0.14.0]
at sun.nio.ch.Invoker.invokeUnchecked
(Invoker.java:126)[:1.8.0_65]
at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.8.0_65]
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run
(AsynchronousChannelGroupImpl.java:112)[:1.8.0_65]
at java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java:1142)[:1.8.0_65]
at java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java:617)[:1.8.0_65]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_65]
RH IDM ACCESS LOG FILE
[12/Aug/2016:11:05:34 -0500] conn=850 fd=112 slot=112 SSL connection
from 172.17.4.64 to 172.17.4.20
[12/Aug/2016:11:05:34 -0500] conn=850 TLS1.2 256-bit AES-GCM
[12/Aug/2016:11:05:34 -0500] conn=850 op=0 BIND dn="cn=binding"
method=128 version=3
[12/Aug/2016:11:05:34 -0500] conn=850 op=0 RESULT err=32 tag=97
nentries=0 etime=0
[12/Aug/2016:11:05:34 -0500] conn=850 op=-1 fd=112 closed - B1
Michael Sean Conley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160812/28682916/attachment.htm>
More information about the Freeipa-users
mailing list