Need help with LDAP + SSL

m0nty · July 11, 2017, 10:19am

I have basic LDAP to Active Directory working, but need to configure LDAP with SSL. I’m using the Docker image so some additional config was needed to fit in with that. So far, I have done this:

Exported the cert from Active Directory.
keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts
Created a docker volume called xwiki-cfg which points to /usr/local/tomcat/webapps/ROOT/WEB-INF. I copied the jssecacerts file to that location.
Amended my xwiki.cfg:

# LDAP
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.ssl.keystore=/usr/local/tomcat/webapps/ROOT/WEB-INF/jssecacerts

Changed the web LDAP page in the xwiki admin to use port 636.
When trying to authenticate, I think the main errors are (a) Local LDAP authentication failed and (b) unable to find valid certification path to requested target. Output from debug below.

I know the Active Directory server is working OK, because I set it up to use LDAPS from Apache for another server yesterday. I know basic non-SSL LDAP is working from XWiki. If anyone has any insight into this problem, please let me know.

Full trace from the LDAPS authentication attempt:

xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - remoteUserParser: null
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,916 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,916 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,916 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Connecting to LDAP using SSL
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,917 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [10.0.3.20:636]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,931 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[USERNAME]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,938 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
xwiki-mysql-tomcat-web | org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
xwiki-mysql-tomcat-web |        at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
xwiki-mysql-tomcat-web |        at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:153)
xwiki-mysql-tomcat-web |        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
xwiki-mysql-tomcat-web |        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
xwiki-mysql-tomcat-web |        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
xwiki-mysql-tomcat-web |        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3776)
xwiki-mysql-tomcat-web |        at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:242)
xwiki-mysql-tomcat-web |        at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:272)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3794)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4844)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:364)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:210)
xwiki-mysql-tomcat-web |        at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
xwiki-mysql-tomcat-web |        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
xwiki-mysql-tomcat-web |        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
xwiki-mysql-tomcat-web |        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
xwiki-mysql-tomcat-web |        at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
xwiki-mysql-tomcat-web |        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:112)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:136)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
xwiki-mysql-tomcat-web |        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
xwiki-mysql-tomcat-web |        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
xwiki-mysql-tomcat-web |        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
xwiki-mysql-tomcat-web |        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
xwiki-mysql-tomcat-web |        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
xwiki-mysql-tomcat-web |        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
xwiki-mysql-tomcat-web |        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
xwiki-mysql-tomcat-web |        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2458)
xwiki-mysql-tomcat-web |        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
xwiki-mysql-tomcat-web |        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
xwiki-mysql-tomcat-web |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
xwiki-mysql-tomcat-web |        at java.lang.Thread.run(Thread.java:745)
xwiki-mysql-tomcat-web | Caused by: com.novell.ldap.InterThreadException: Connect Error
xwiki-mysql-tomcat-web |        at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
xwiki-mysql-tomcat-web |        ... 1 common frames omitted
xwiki-mysql-tomcat-web | Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xwiki-mysql-tomcat-web |        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
xwiki-mysql-tomcat-web |        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
xwiki-mysql-tomcat-web |        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
xwiki-mysql-tomcat-web |        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
xwiki-mysql-tomcat-web |        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
xwiki-mysql-tomcat-web |        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
xwiki-mysql-tomcat-web |        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
xwiki-mysql-tomcat-web |        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
xwiki-mysql-tomcat-web |        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
xwiki-mysql-tomcat-web |        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
xwiki-mysql-tomcat-web |        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
xwiki-mysql-tomcat-web |        at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
xwiki-mysql-tomcat-web |        at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
xwiki-mysql-tomcat-web |        at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
xwiki-mysql-tomcat-web |        ... 2 common frames omitted
xwiki-mysql-tomcat-web | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xwiki-mysql-tomcat-web |        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
xwiki-mysql-tomcat-web |        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
xwiki-mysql-tomcat-web |        at sun.security.validator.Validator.validate(Validator.java:260)
xwiki-mysql-tomcat-web |        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
xwiki-mysql-tomcat-web |        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
xwiki-mysql-tomcat-web |        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
xwiki-mysql-tomcat-web |        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
xwiki-mysql-tomcat-web |        ... 11 common frames omitted
xwiki-mysql-tomcat-web | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xwiki-mysql-tomcat-web |        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
xwiki-mysql-tomcat-web |        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
xwiki-mysql-tomcat-web |        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
xwiki-mysql-tomcat-web |        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
xwiki-mysql-tomcat-web |        ... 17 common frames omitted
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,939 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,939 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [USERNAME]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,939 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
xwiki-mysql-tomcat-web | 2017-07-11 10:06:53,533 [http://xwiki.COMPANY.com/bin/get/TourCode/TourJson?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-mysql-tomcat-web | 2017-07-11 10:06:53,534 [http://xwiki.COMPANY.com/bin/get/TourCode/TourJson?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
xwiki-mysql-tomcat-web | 2017-07-11 10:06:53,534 [http://xwiki.COMPANY.com/bin/get/TourCode/TourJson?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null

Johannes · July 11, 2017, 12:26pm

I see Connection to LDAP server [10.0.3.20:636] in your log. Do you get the same error when using the FQDN instead?

m0nty · July 11, 2017, 12:48pm

Hi Johannes, thanks for responding.

Yes, same error with the FQDN.
Connection to LDAP server [my.server.com:636] Binding to LDAP server with credentials login=[username] Local LDAP authentication failed.

Pbas · July 11, 2017, 12:59pm

Hello,

[quote]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target[/quote]

java didn’t found your keystore (or your certificate is invalid).
Try to copy jssecacerts on ./jre/lib/security/cacerts and relaunch tomcat.
(In my case I backup cacerts and add the cert file to cacerts)

Pascal B

m0nty · July 11, 2017, 1:03pm

Thanks for the reply, Pascal. I’ll give that a try now and get back to you.

m0nty · July 11, 2017, 1:33pm

Hi Pascal, it’s still failing with the same errors as before. I copied my cert file to /etc/ssl/certs/java (which is where cacerts is found) and imported it into cacerts:

keytool -import -trustcacerts -alias ca -file mycert.cer -keystore cacerts

It asked me if I wanted to trust the cert, I responded with ‘y’. I checked with keytool -list -v -keystore cacerts and the cert was present.

I would welcome any other ideas or pointers if I got the keytool command wrong. Thank you for your help.

Johannes · July 11, 2017, 1:50pm

I just remembered something. I copied cacerts to jssecacerts, had to provide a password when adding the certificate to jssecacerts and then added
-Djavax.net.ssl.keyStore=/path/to/jssecacerts -Djavax.net.ssl.keyStorePassword=password
to the end of the following line in /etc/default/tomcat8
JAVA_OPTS="-Djava.awt.headless=true…“

Pbas · July 11, 2017, 1:58pm

Maybe you must try your cert file with ldap tools (ie TLS_CACERT /etc/certs/xx and ldapsearch -x …)?

(I use ldaps authentication but without -Djavax.net.sslxx and without password provided)
(and I didn’t use xwiki.authentication.ldap.ssl.keystore parameter neither)

m0nty · July 11, 2017, 2:11pm

On my docker installation, the JAVA_OPTS seem to be in catalina.sh so I put /usr/local/tomcat/bin into another docker volume, changed the options, and unfortunately it still doesn’t work.

Thanks again for taking the time to get back to me.

m0nty · July 11, 2017, 2:12pm

Just installing openldap-tools on a VM to test this, thanks.

Pbas · July 11, 2017, 2:24pm

NB: check if tomcat found your java keystore file. Simply restart tomcat and watch catalina.out. You must see this line:

2017-07-11 16:09:48,649 [xxxxx-startStop-1] INFO .i.LetsEncryptRegisterListener - Added certificate [CN=xxxx.] in default [/xxxx/jre/lib/security/cacerts]

m0nty · July 11, 2017, 2:27pm

The ldapsearch util does work, I put the certificate file in /etc/openldap/certs and edited /etc/openldap/ldap.conf with:
HOST 10.0.3.20 PORT 636 TLS_REQCERT ALLOW
I connected with:

ldapsearch -x -H ldaps://10.0.3.20:636 -D "user.name@company.com" -W -b "cn=users,dc=company,dc=com" -s sub "(cn=*)" cn mail sn

and received numerous results. When I commented out TLS_REQCERT ALLOW in ldap.conf, it stopped working. So I’ll boldly assume that means the cert is OK?

I’ll check the startup for “added certificate” now, I think I saw something along those lines but not sure of the location.

m0nty · July 11, 2017, 2:35pm

Well, that line was there in an earlier startup of the docker container. I’ve restarted it numerous times since then and it no longer logs the LetsEncryptRegisterListener ... line but does have the keyStore and keyStorePassword changes I made to catalina.sh. So I will try rolling back those changes and see if I can get it to load the cacert as before, then see if I can replace that file with the one which has my cert in it.

Thanks again.

m0nty · July 12, 2017, 8:12am

At some point, it seems like the bind to LDAP started working, it seems to be something else causing the problems. I used tcpdump to sniff the connection to the AD server and, although I expected to see only encrypted traffic, I thought that would be enough to verify there was some comms between the two PCs. The response from AD is a long list of user names, although I’m not sure why they have been selected to be sent back. So it seems like this is now some kind of problem with authentication rather than the SSL bind itself. (I’ve checked passwords, etc, there’s something else going on …)

Many thanks to Johannes and Pascal for helping with this, I really appreciate the time spent.

kevingomes · September 5, 2018, 3:56pm

You can contact a domain provider for the LDAP and SSL. I purchased the SSL which has made the connection much secure and I am able to load the hp customer support quickly. For the coding purpose, you can take help from stack overflow forum.

jcorteslinkare · August 28, 2019, 11:00pm

Hi there,

I see that this thread is old and my problem was similar (except from the part of the certificate validation that i believe was solved with the many workarounds tried in this thread):

org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
	at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
	at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:153)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:550)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:366)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:300)
	at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:280)
	at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:194)
	at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:176)
	at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
	at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4261)
	at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
	at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
	at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4279)
	at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5454)
	at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:401)
	at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:215)
	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
	at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
	at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
	at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:112)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:109)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: com.novell.ldap.LDAPException: Connect Error
	at com.novell.ldap.Connection.writeMessage(Connection.java:798)
	at com.novell.ldap.Connection.writeMessage(Connection.java:730)
	at com.novell.ldap.Message.sendMessage(Message.java:101)
	at com.novell.ldap.MessageAgent.sendMessage(MessageAgent.java:286)
	at com.novell.ldap.LDAPConnection.sendRequestToServer(LDAPConnection.java:3743)
	at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1535)
	at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1399)
	at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1361)
	at org.xwiki.contrib.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:261)
	at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:223)
	... 59 common frames omitted
Caused by: java.net.SocketException: Connection or outbound has closed
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
	at com.novell.ldap.Connection.writeMessage(Connection.java:771)
	... 68 common frames omitted

The way i solved it was adding the java ssl path to the truststore (only) directly to the setenv.sh file in tomcat bin dir (/usr/local/tomcat/bin) before the export JAVA_OPTS instruction:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/local/tomcat/webapps/ROOT/WEB-INF/jssecacerts"

Even the ‘xwiki.authentication.ldap.ssl.keystore’ option did not work for me.

Hope this can help other users with similar problems.

Best regards,
João Cortes