| Back | Main view
“SASL bind failed” error occurs while using secure LDAP connection for user and group synchronisation
| Product: | IMiS/ARChive |
| Release: | 9.9.x.x |
| Date: | 02/14/2019 |
Case:
“SASL bind failed” error occurs while using secure LDAP connection (LDAPS) for user and group synchronisation. Example of stack trace:
02/14/19 13:10:00.302 [iarcd:7670:2756705136] ERR[3] Error occurred while querying directory objects. Reason: 'Error querying directory. Reason: com.imis.imisarc.server.aaa.DirectoryException: javax.naming.CommunicationException: SASL bind failed: ldap.server.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
com.imis.imisarc.server.aaa.impl.LdapDirectory.executeQuery(LdapDirectory.java:260)
com.imis.imisarc.server.aaa.impl.GenericAAAObject.query(GenericAAAObject.java:69)
com.imis.imisarc.server.aaa.impl.GenericLdapConnector.query(GenericLdapConnector.java:13)
Caused by: javax.naming.CommunicationException: SASL bind failed: ldap.server.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:242)
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
javax.naming.InitialContext.init(InitialContext.java:244)
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
com.imis.imisarc.server.aaa.impl.PagedInitialLdapContext.<init>(PagedInitialLdapContext.java:88)
com.imis.imisarc.server.aaa.impl.LdapDirectory.createLdapContext(LdapDirectory.java:582)
com.imis.imisarc.server.aaa.impl.LdapDirectory.createLdapContext(LdapDirectory.java:512)
com.imis.imisarc.server.aaa.impl.LdapDirectory.executeQuery(LdapDirectory.java:250)
com.imis.imisarc.server.aaa.impl.GenericAAAObject.query(GenericAAAObject.java:69)
com.imis.imisarc.server.aaa.impl.GenericLdapConnector.query(GenericLdapConnector.java:13)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:931)
sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
java.io.BufferedInputStream.read(BufferedInputStream.java:345)
com.sun.jndi.ldap.Connection.run(Connection.java:877)
java.lang.Thread.run(Thread.java:748)
Description:
For secure connection establishment, there must be all certificates present in certificate store, which builds a chain of trust for secure connection. If internal IAKS certificate store is used, then certificates must also be enabled. For IAKS configuration follow next steps trough administration:
1. Locate certificate configuration in administration.
2. Check that all certificates in chain are located and enabled in IAKS.
3. If certificates are missing import and enable them.
If you use external certificate store, then you need to import proper certificates into it with Java keytool command. Example of importing certificate:
keytool.exe -import -file TestCA1.der -alias 01 -keystore ldapTrustStore
If connector is not configured for using external certificate store, it must be configured trough administration with next steps:
1. Locate appropriate connector in AAA settings.
2. Set certificate store type and its path in connector arguments:
a. Set certificate store type example: <SSLTSType>JKS</SSLTSType>
b. Set certificate store path example: <SSLTSFile>/path/to/ldapTrustStore</SSLTSFile>
Related Documents:
| Back | Main view