Service Virtualization

Expand all | Collapse all

10.6 IAM - LDAP Authentication failed

Jump to Best Answer
  • 1.  10.6 IAM - LDAP Authentication failed

    Posted 09-18-2020 07:44 AM
    Edited by Harika Gonela 09-18-2020 07:44 AM
    Hi Team,

    We are unable to configure LDAP system within Identity and Access Manager, getting Error! LDAP authentication failed. See server.log for details on Bind DN Test connection.

    -> imported existing authentication-providers.xml & ldap-mappings.xml which is working fine with 10.3
    -> No errors found in logs.

    Referred doc:
    https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/devtest-solutions/10-5/administering/security/identity-and-access-manager/configure-user-federation-ldap.html#concept.dita_dc7527e06d3dd332dc9ba0ec745d805ff8c9493b_DefineLDAPGroupSettings


    Could you please help.


    Regards,
    Harika Gonela.





  • 2.  RE: 10.6 IAM - LDAP Authentication failed

    Broadcom Employee
    Posted 09-18-2020 07:46 AM
    Hi Harika
             Please could you share a screenshot of your ldap configuration. Please hide any sensitive info.

    --
    regards
    Sankar Natarajan





  • 3.  RE: 10.6 IAM - LDAP Authentication failed

    Posted 09-18-2020 08:05 AM
    Hi Sankar,

    Missed to add screenshot.


    Regards,
    Harika Gonela


  • 4.  RE: 10.6 IAM - LDAP Authentication failed

    Broadcom Employee
    Posted 09-18-2020 08:13 AM
    Thanks HArika. Please check if the BindDN and Bind Credential are valid. Bind DN is the user who will authenticate against the LDAP. I hope you were able to get 'test connection' working.

    --
    regards
    Sankar Natarajan





  • 5.  RE: 10.6 IAM - LDAP Authentication failed

    Posted 09-18-2020 08:29 AM

    yes Sankar,

    We tried to import the same authentication-provides.xml which is working in 10.3.

    In 10.6, Though its showing up all the entries on import in UI  and Test connection is working but Test Authentication failing with the imported password.

    However we tried with the correct valid password as well, which still fails with error

    Regards,
    Harika Gonela




  • 6.  RE: 10.6 IAM - LDAP Authentication failed

    Broadcom Employee
    Posted 09-18-2020 08:31 AM
    Please share this file: LISA_HOME\IdentityAccessManager\standalone\log

    --
    regards
    Sankar Natarajan





  • 7.  RE: 10.6 IAM - LDAP Authentication failed

    Posted 09-18-2020 08:39 AM
    from server.log:

    2020-09-18 04:57:56,144 ERROR [org.keycloak.services] (default task-88) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: sexxx.gxxx.xxx:xxx: javax.naming.CommunicationException: simple bind failed: sexxx.gxxx.xxx:xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

                    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

                    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)

                    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)

                    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

                    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)

                    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)

                    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)

                    at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)

                    at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)

                    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)

                    at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)

                    at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)

                    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

                    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)

                    at javax.naming.InitialContext.init(InitialContext.java:244)

                    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)

                    at org.keycloak.services.managers.LDAPConnectionTestManager.testLDAP(LDAPConnectionTestManager.java:77)

                    at org.keycloak.services.resources.admin.RealmAdminResource.testLDAPConnection(RealmAdminResource.java:813)

                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                    at java.lang.reflect.Method.invoke(Method.java:498)

                    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)

                    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)

                    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)

                    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)

                    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)

                    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)

                    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)

                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)

                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)

                    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)

                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

                    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)

                    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

                    at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

                    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

                    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

                    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

                    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

                    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

                    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

                    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

                    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

                    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

                    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

                    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

                    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

                    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

                    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

                    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

                    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                    at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

                    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

                    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

                    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

                    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

                    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

                    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

                    at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

                    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)

                    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)

                    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)

                    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)

                    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

                    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

                    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

                    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)

                    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)

                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

                    at java.lang.Thread.run(Thread.java:748)

    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

                    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)

                    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)

                    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

                    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)

                    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)

                    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)

                    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)

                    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)

                    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

                    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)

                    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

                    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)

                    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)

                    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)

                    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)

                    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)

                    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)

                    ... 77 more

    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

                    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

                    at sun.security.validator.Validator.validate(Validator.java:262)

                    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)

                    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)

                    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)

                    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)

                    ... 90 more

    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

                    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

                    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

                    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

                    ... 96 more

     
    Regards,
    Harika Gonela.




  • 8.  RE: 10.6 IAM - LDAP Authentication failed

    Broadcom Employee
    Posted 09-18-2020 08:45 AM
    Looks like you are connecting to LDAP over SSL. Please do the following:

    1. Get the SSL Server certificate of your LDAP Server
    2. Import this certificate into the file LISA_HOME\IdentityAccessManager\certs\iam-truststore.ks
    3. Restart IAM Server

    Retry the connection and authentication.

    --
    regards
    Sankar Natarajan





  • 9.  RE: 10.6 IAM - LDAP Authentication failed

    Posted 09-18-2020 10:53 AM
    Thank you sankar.

    Is there any default password for iam-truststore.ks file.

    we are seeing below error when trying to add the ssl cert to iam-truststore.ks 
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect



    Regards,
    Harika Gonela.


  • 10.  RE: 10.6 IAM - LDAP Authentication failed

    Broadcom Employee
    Posted 09-18-2020 10:57 AM
    Harika,
    Please try these passwords:

    passphrase

    changeit

    Regards
    Sankar 







  • 11.  RE: 10.6 IAM - LDAP Authentication failed

    Posted 09-18-2020 12:39 PM
    Hi Sankar,

    tried with both passwords , yet same error. Any suggestions please.

    Regards,
    Harika Gonela.


  • 12.  RE: 10.6 IAM - LDAP Authentication failed
    Best Answer

    Broadcom Employee
    Posted 09-18-2020 01:25 PM
    HI Harika
            Never mind. You can create another keystore file with .jks extension and import your LDAP SSL certificate in it. MAke sure you update the file LISA_HOME\IdentityAccessManager\iam.properties with following entries

    iam.truststore=${IAM_HOME}certs/<new keystore>.jks
    iam.truststore.password=<New password in plain text>

    Eg:
    iam.truststore=${IAM_HOME}certs/newiamtruststore.jks
    iam.truststore.password=newpassword

    Save the file and restart IAM Service. Dont worry about the plain text password, this password will be encrypted when IAM restarts.

    --
    regards
    Sankar Natarajan





  • 13.  RE: 10.6 IAM - LDAP Authentication failed

    Posted 09-21-2020 07:14 AM
    Hi Sankar,

    After importing LDAP certs we could able to get success message on Test Authentication. 

    Thank you for the help.

    Regards,
    Harika Gonela


  • 14.  RE: 10.6 IAM - LDAP Authentication failed

    Broadcom Employee
    Posted 09-21-2020 07:19 AM
    Thanks for the confirmation Harika.

    --
    regards
    Sankar Natarajan