[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with openLDAP + GSSAPI + JAVA
- To: openldap-technical@openldap.org
- Subject: Re: Problems with openLDAP + GSSAPI + JAVA
- From: Andreas Laesser <andreas.laesser@tugraz.at>
- Date: Fri, 03 Jul 2015 07:37:00 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at; s=mailrelay; t=1435901824; bh=wYJtT96QIUD+bC5n/moPJue/3oOaZP5W92desFiX8LM=; h=Date:From:To:Subject:References:In-Reply-To; b=HOgt1UNgLCh0xkkckOtG8idMWlWS2vhlSgLkpZ23A1rBJa8p38letCEWXaXNcBSdw AwfbcDxulaMvM7cQOpEWa7AF1YGMmXMV6u8s9RAFK3+jcj60f9hb9t8G/9vyTUiFxs LhZufAgq6nLFJ3Q5q2rkPOPIjmcJNaHcycGSeH/E=
- In-reply-to: <20150630111742.GE5931@maia.oucs.ox.ac.uk>
- References: <559273F6.4020201@tugraz.at> <20150630111742.GE5931@maia.oucs.ox.ac.uk>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0
Hi @all
thanks for your help, I solved the problem. So There where two things
which causes this problem:
* Thanks to Dameon: Java clients can't handle Multi-Domain Certificates:
So the ldap1.spsc.tugraz.at was a alias on servXXX..... and the Java
client was not able to handle this.
* Java clients can't handle new cipher suites. If the server provides a
cipher suite which the Java client doesn't know, it will not ask again
for another version of the cipher, it simply cuts the connection.
So Thanks for your help after hours of debugging I came on this.
Regadrs
Andreas
On 06/30/2015 01:17 PM, Dameon Wagner wrote:
> On Tue, Jun 30 2015 at 12:48:22 +0200, Andreas Laesser scribbled
> in "Problems with openLDAP + GSSAPI + JAVA":
>> Hi @all
>>
>> I have a (maybe) a problem with my openldap server authenticating over a
>> JAVA tool (Apache Directory Studio LDAP Browser V2.0.0.v20130628,
>> jXplorer) via GSSAPI.
>>
>> When I do a ldapsearch from command line via GSSAPI it works fine...
>>
>>
>> ~ % klist
>> Ticket cache: FILE:/tmp/krb5cc_1086_lR4Nxxxxrs
>> Default principal: admin@SPSC.TUGRAZ.AT
>>
>> Valid starting Expires Service principal
>> 30/06/2015 10:54 02/07/2015 10:54 krbtgt/SPSC.TUGRAZ.AT@SPSC.TUGRAZ.AT
>> renew until 10/07/2015 10:54
>> 30/06/2015 10:54 02/07/2015 10:54 ldap/ldap1.spsc.tugraz.at@SPSC.TUGRAZ.AT
>> renew until 10/07/2015 10:54
>>
>>
>> ~ % ldapsearch -H ldaps://ldap1.spsc.tugraz.at -b "dc=SPSC,dc=TUGRAZ,dc=AT"
>>
>> This works well....
>>
>> but if I try the same from one of the two tools mentioned above it
>> simply not bind or connects....
>>
>> Does anybody had the same problems, or knows a solution?
>
> Hi Andreas,
>
> Just as a hunch, what's the subject (or Subject Alternative Names) for
> the SSL certificate on "ldap1.spsc.tugraz.at"? If you're using DNS
> round-robin I'm guessing that "ldap1.spsc.tugraz.at" may not be
> listed, and that JAVA is being picky about validating the server-side
> certificate.
>
> Just a thought.
>
> Cheers.
>
> Dameon.
>