It appears that LDAPS bind is failing with certificate verification errors (hostname mismatch) when "failing over" using, in my case, the ACTIVE_PASSIVE connection strategy.
Each of the ldap servers has a certificate with its own hostname as subject.
Log attached, but in summary: dc1.domain was made to be unavailable, and the IdP was restarted. The IdP failed to start up, apparently attempting to match "dc1.domain" with each subject in all the subsequent certificates, which obviously fails:
17:06:46.089 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters: 17:06:46.090 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple 17:06:46.090 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = reader@domain 17:06:46.090 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed> 17:06:46.152 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:128] - Set hostname verifier for ldaps 17:06:47.213 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://dc1.domain javax.naming.CommunicationException: dc1.domain:636 <snip> Caused by: java.net.SocketTimeoutException: connect timed out <snip> 17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters: 17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple 17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = reader@domain 17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed> 17:06:47.229 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@e9fd18b 17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@424fd90d 17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:122] - Verify with the following parameters: 17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:123] - hostname = dc1.domain 17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:124] - cert = CN=dc2.domain, OU=... 17:06:47.255 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:197] - verifyDNS using subjectAltNames = [dc2.domain] 17:06:47.258 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://dc2.domain javax.naming.CommunicationException: simple bind failed: dc2.domain:636 <snip> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate <snip> Caused by: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate <snip> 17:06:47.258 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters: 17:06:47.259 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple 17:06:47.259 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = reader@domain 17:06:47.259 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed> 17:06:47.264 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@e9fd18b 17:06:47.272 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@424fd90d 17:06:47.273 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:122] - Verify with the following parameters: 17:06:47.273 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:123] - hostname = dc1.domain 17:06:47.273 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:124] - cert = CN=dc3.domain, OU=... 17:06:47.274 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:197] - verifyDNS using subjectAltNames = [dc3.domain] 17:06:47.280 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://dc3.domain javax.naming.CommunicationException: simple bind failed: dc3.domain:636 <snip> Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate <snip> Caused by: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate <snip>
etc Kevin
Environment
CentOS 6. java version "1.7.0_02". apache-tomcat-6.0.35
Attachments
1
07 Mar 2012, 07:34 PM
Activity
ChadC
June 21, 2012 at 11:51 AM
Fixed in rev 1026
Kevin Sewell
May 29, 2012 at 9:24 AM
Thanks. I've applied that fix, and it does indeed solve the described problem.
It appears that LDAPS bind is failing with certificate verification errors (hostname mismatch) when "failing over" using, in my case, the ACTIVE_PASSIVE connection strategy.
In attribute-resolver.conf, I have this:
<resolver:DataConnector
id="ADLDAP"
xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://dc1.domain ldaps://dc2.domain ldaps://dc3.domain ldaps://dc4.domain"
connectionStrategy="ACTIVE_PASSIVE"
baseDN="ou=People,dc=domain"
principal="reader@domain"
principalCredential="secret">
<dc:FilterTemplate>
<![CDATA[
(sAMAccountName=$requestContext.principalName)
]]>
</dc:FilterTemplate>
<dc:LDAPProperty name="com.sun.jndi.ldap.connect.timeout" value="1000"/>
<dc:LDAPProperty name="java.naming.referral" value="follow"/>
<dc:LDAPProperty name="java.naming.ldap.attributes.binary" value="objectSid"/>
</resolver:DataConnector>
Each of the ldap servers has a certificate with its own hostname as subject.
Log attached, but in summary:
dc1.domain was made to be unavailable, and the IdP was restarted. The IdP failed to start up, apparently attempting to match "dc1.domain" with each subject in all the subsequent certificates, which obviously fails:
17:06:46.089 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
17:06:46.090 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
17:06:46.090 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = reader@domain
17:06:46.090 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
17:06:46.152 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:128] - Set hostname verifier for ldaps
17:06:47.213 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://dc1.domain
javax.naming.CommunicationException: dc1.domain:636
<snip>
Caused by: java.net.SocketTimeoutException: connect timed out
<snip>
17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = reader@domain
17:06:47.214 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
17:06:47.229 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@e9fd18b
17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@424fd90d
17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:122] - Verify with the following parameters:
17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:123] - hostname = dc1.domain
17:06:47.253 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:124] - cert = CN=dc2.domain, OU=...
17:06:47.255 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:197] - verifyDNS using subjectAltNames = [dc2.domain]
17:06:47.258 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://dc2.domain
javax.naming.CommunicationException: simple bind failed: dc2.domain:636
<snip>
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate
<snip>
Caused by: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate
<snip>
17:06:47.258 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
17:06:47.259 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
17:06:47.259 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = reader@domain
17:06:47.259 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
17:06:47.264 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@e9fd18b
17:06:47.272 - DEBUG [edu.vt.middleware.ldap.ssl.AggregateTrustManager:75] - invoking checkServerTrusted for edu.vt.middleware.ldap.ssl.HostnameVerifyingTrustManager@424fd90d
17:06:47.273 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:122] - Verify with the following parameters:
17:06:47.273 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:123] - hostname = dc1.domain
17:06:47.273 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:124] - cert = CN=dc3.domain, OU=...
17:06:47.274 - DEBUG [edu.vt.middleware.ldap.ssl.DefaultHostnameVerifier:197] - verifyDNS using subjectAltNames = [dc3.domain]
17:06:47.280 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldaps://dc3.domain
javax.naming.CommunicationException: simple bind failed: dc3.domain:636
<snip>
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate
<snip>
Caused by: java.security.cert.CertificateException: Hostname '[dc1.domain]' does not match the hostname in the server's certificate
<snip>
etc
Kevin