04-29-2020 02:30 AM
Hi,
heres the ldaps setup:
1.) Export Root-CA Cert to C:\etc\rootca.cer
2.) Create keystore:
E:\Alfresco6\java\bin\keytool -importcert -alias rootca -file "C:\etc\rootca.cer" -keystore "E:\Alfresco6\alf_data\keystore\rootca.keystore" -storepass xxxxx -storetype JCEKS
3.) LDAP Properties:
ldap.authentication.java.naming.provider.url=ldaps://dc01.domain.loc ldap.authentication.truststore.path=${dir.keystore}/rootca.keystore ldap.authentication.truststore.passphrase=xxxxx ldap.authentication.truststore.type=JCEKS ldap.authentication.java.naming.security.protocol=ssl
4.) Tomcat Settings:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
See https://issues.alfresco.com/jira/browse/MNT-21030
So far so good.... Now the strange thing.
If i restart alfresco the ldap sync works for ~ 1 out of 10 trys.... 9 trys fails with "No trusted certificate found"
Any ideas?
Heres the stacktrace:
2020-04-29 08:07:53,486 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1' 2020-04-29 08:07:53,533 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Apr 28, 2020, 8:09:42 PM from user registry 'ldap1' 2020-04-29 08:07:54,095 ERROR [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error org.alfresco.error.AlfrescoRuntimeException: 03290001 Error during LDAP Search. Reason:null at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1335) at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:713) at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:993) at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:739) at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.access$16(ChainingUserRegistrySynchronizer.java:474) at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:2138) at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:623) at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:2132) at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56) at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onApplicationEvent(ChainingUserRegistrySynchronizer.java:2495) at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172) at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165) at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139) at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:127) at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext.publishEvent(ChildApplicationContextFactory.java:569) at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:882) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549) at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:824) at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1098) at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.onApplicationEvent(AbstractPropertyBackedBean.java:637) at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:221) at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:186) at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:206) at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:398) at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:355) at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:882) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549) at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:400) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:291) at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103) at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4770) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5236) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:624) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1834) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: domain.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: No trusted certificate found]] at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:347) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1316) ... 43 more Caused by: javax.naming.CommunicationException: simple bind failed: domain.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: No trusted certificate found] at java.naming/com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96) at java.naming/com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227) ... 47 more Caused by: javax.net.ssl.SSLHandshakeException: No trusted certificate found at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:642) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970) at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81) at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142) at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398) at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371) at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151) at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52) at java.naming/javax.naming.spi.NamingManager.getURLObject(NamingManager.java:608) at java.naming/javax.naming.spi.NamingManager.processURL(NamingManager.java:385) at java.naming/javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:365) at java.naming/javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:337) at java.naming/com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119) ... 50 more Caused by: sun.security.validator.ValidatorException: No trusted certificate found at java.base/sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:411) at java.base/sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:135) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:626) ... 78 more
05-12-2020 09:30 AM
Solved.
Because of the bug MNT-21030 (mentioned in my first post) LDAPS uses "domain.loc:636" for the ldap bind.
I only configured one dc with a correct certificate, but i've 7 dc's running.
The dns resolution for "domain.loc" is round-robin, so ~ 1/7 of the syncs was working.
Now i configured all dc's and it's running fine.
04-30-2020 02:43 PM
Hi,
I don"t have an answer for you but just want to say that i've got the same problem. Sometimes synch works but most of the time not. Hope that someone will have a solution. I'll let you know if i found something.
My setup;
-alfresco 6.0.1
-ldaps with windows active directory
Regards
Marc
05-04-2020 09:00 AM
Anyone else some ideas?
05-08-2020 03:09 PM
Hi,
For myself, it's working w/o errors for 2 days now.
Here's what i did.
- Add this in java: -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
-import root CA certificate to the keystore with keytool. Now keystore contains ldaps certificate and CA certificate.
Hope that this would help you. I will let this running for the next days and see if it will hold on
Regards,
Marc
05-12-2020 03:20 AM
Hi,
i did it like this:
E:\Alfresco6\java\bin\keytool -importcert -alias domain.loc -file "C:\etc\rootca.cer" -keystore "E:\Alfresco6\alf_data\keystore\rootca.keystore" -storepass xxxxx -storetype JCEKS
In the Tomcat options i added this:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
My settings are like this:
ldap.authentication.java.naming.provider.url=ldaps://dc01.domain.loc:636 ldap.authentication.truststore.path=${dir.keystore}/rootca.keystore ldap.authentication.truststore.passphrase=xxxxx ldap.authentication.truststore.type=JCEKS ldap.authentication.java.naming.security.protocol=ssl
Why does i need the ldaps cert? Isn't the root cert enough?
The ldaps cert is every year a new one in an active directory environment...
Thanks, Joe
05-12-2020 09:30 AM
Solved.
Because of the bug MNT-21030 (mentioned in my first post) LDAPS uses "domain.loc:636" for the ldap bind.
I only configured one dc with a correct certificate, but i've 7 dc's running.
The dns resolution for "domain.loc" is round-robin, so ~ 1/7 of the syncs was working.
Now i configured all dc's and it's running fine.
Explore our Alfresco products with the links below. Use labels to filter content by product module.