Original Message:
Sent: 9/21/2020 7:14:00 AM
From: harika.gonela1
Subject: RE: 10.6 IAM - LDAP Authentication failed
Hi Sankar,
After importing LDAP certs we could able to get success message on Test Authentication.
Thank you for the help.
Regards,
Harika Gonela
Original Message:
Sent: 09-18-2020 01:25 PM
From: Sankar Natarajan
Subject: 10.6 IAM - LDAP Authentication failed
HI Harika
Never mind. You can create another keystore file with .jks extension and import your LDAP SSL certificate in it. MAke sure you update the file LISA_HOME\IdentityAccessManager\iam.properties with following entries
iam.truststore=${IAM_HOME}certs/<new keystore>.jks
iam.truststore.password=<New password in plain text>
Eg:
iam.truststore=${IAM_HOME}certs/newiamtruststore.jks
iam.truststore.password=newpassword
Save the file and restart IAM Service. Dont worry about the plain text password, this password will be encrypted when IAM restarts.
Original Message:
Sent: 9/18/2020 12:39:00 PM
From: harika.gonela1
Subject: RE: 10.6 IAM - LDAP Authentication failed
Hi Sankar,
tried with both passwords , yet same error. Any suggestions please.
Regards,
Harika Gonela.
Original Message:
Sent: 09-18-2020 10:55 AM
From: Sankar Natarajan
Subject: 10.6 IAM - LDAP Authentication failed
Harika,
Please try these passwords:
passphrase
changeit
Regards
Sankar
Original Message:
Sent: 9/18/2020 10:53:00 AM
From: harika.gonela1
Subject: RE: 10.6 IAM - LDAP Authentication failed
Thank you sankar.
Is there any default password for iam-truststore.ks file.
we are seeing below error when trying to add the ssl cert to iam-truststore.ks
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Regards,
Harika Gonela.
Original Message:
Sent: 09-18-2020 08:44 AM
From: Sankar Natarajan
Subject: 10.6 IAM - LDAP Authentication failed
Looks like you are connecting to LDAP over SSL. Please do the following:
1. Get the SSL Server certificate of your LDAP Server
2. Import this certificate into the file LISA_HOME\IdentityAccessManager\certs\iam-truststore.ks
3. Restart IAM Server
Retry the connection and authentication.
--
Original Message:
Sent: 9/18/2020 8:39:00 AM
From: harika.gonela1
Subject: RE: 10.6 IAM - LDAP Authentication failed
from server.log:
2020-09-18 04:57:56,144 ERROR [org.keycloak.services] (default task-88) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: sexxx.gxxx.xxx:xxx: javax.naming.CommunicationException: simple bind failed: sexxx.gxxx.xxx:xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)
at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.keycloak.services.managers.LDAPConnectionTestManager.testLDAP(LDAPConnectionTestManager.java:77)
at org.keycloak.services.resources.admin.RealmAdminResource.testLDAPConnection(RealmAdminResource.java:813)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 77 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 90 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 96 more
Regards,
Harika Gonela.
Original Message:
Sent: 09-18-2020 08:30 AM
From: Sankar Natarajan
Subject: 10.6 IAM - LDAP Authentication failed
Please share this file: LISA_HOME\IdentityAccessManager\standalone\log
--
Original Message:
Sent: 9/18/2020 8:29:00 AM
From: harika.gonela1
Subject: RE: 10.6 IAM - LDAP Authentication failed
yes Sankar,
We tried to import the same authentication-provides.xml which is working in 10.3.
In 10.6, Though its showing up all the entries on import in UI and Test connection is working but Test Authentication failing with the imported password.
However we tried with the correct valid password as well, which still fails with error
Regards,
Harika Gonela
Original Message:
Sent: 09-18-2020 08:12 AM
From: Sankar Natarajan
Subject: 10.6 IAM - LDAP Authentication failed
Thanks HArika. Please check if the BindDN and Bind Credential are valid. Bind DN is the user who will authenticate against the LDAP. I hope you were able to get 'test connection' working.
--
Original Message:
Sent: 9/18/2020 8:05:00 AM
From: harika.gonela1
Subject: RE: 10.6 IAM - LDAP Authentication failed
Hi Sankar,
Missed to add screenshot.
Regards,
Harika Gonela
Original Message:
Sent: 09-18-2020 07:46 AM
From: Sankar Natarajan
Subject: 10.6 IAM - LDAP Authentication failed
Hi Harika
Please could you share a screenshot of your ldap configuration. Please hide any sensitive info.
--
Original Message:
Sent: 9/18/2020 7:44:00 AM
From: harika.gonela1
Subject: 10.6 IAM - LDAP Authentication failed
Hi Team,
We are unable to configure LDAP system within Identity and Access Manager, getting Error! LDAP authentication failed. See server.log for details on Bind DN Test connection.
-> imported existing authentication-providers.xml & ldap-mappings.xml which is working fine with 10.3
-> No errors found in logs.
Referred doc:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/devtest-solutions/10-5/administering/security/identity-and-access-manager/configure-user-federation-ldap.html#concept.dita_dc7527e06d3dd332dc9ba0ec745d805ff8c9493b_DefineLDAPGroupSettings
Could you please help.
Regards,
Harika Gonela.