Connecting WSO2 Identity Server to an External LDAP source using startTLS

Question

We have recently migrated our internal ApacheDS embedded LDAP service over to an external OpenLDAP server in our WSO2 Identity Server (4.6.0). That has been working well for last month.

In an effort to secure the environment further, I have created a new OpenLDAP cluster which enforces the use of TLS (startTLS). Below is my user-mgt.xml file. I have also imported the cacert.pem from the OpenLDAP server into the ./resources/security/client-truststore.jks on both of our IS nodes.

At startup I receive the follow errors:

Cannot create connection to LDAP server. Error message Error obtaining connection. [LDAP: error code 13 - TLS confidentiality required]

Below is my user-mgt.xml

            <UserManager>
            <Realm>
                <Configuration>
                        <AddAdmin>true</AddAdmin>
                        <AdminRole>admin</AdminRole>
                        <AdminUser>
                             <UserName>admin</UserName>
                             <Password>SECRET</Password>
                        </AdminUser>
                    <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
                    <Property name="dataSource">jdbc/bpsdbq</Property>
                </Configuration>


                <!-- If product is using an external LDAP as the user store in read/write mode, use following user manager
                        In case if user core cache domain is needed to identify uniquely set property <Property name="UserCoreCacheIdentifier">domain</Property>
                -->
                <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
                    <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
                    <Property name="ConnectionURL">ldap://ourldap.server.com</Property>
                    <Property name="Disabled">false</Property>
                    <Property name="ConnectionName">cn=admin,dc=wso2,dc=org</Property>
                    <Property name="ConnectionPassword">SECRET</Property>
                    <Property name="passwordHashMethod">SHA</Property>
                    <Property name="UserNameListFilter">(objectClass=person)</Property>
                    <Property name="UserEntryObjectClass">inetOrgPerson</Property>
                    <Property name="UserSearchBase">ou=users,dc=wso2,dc=org</Property>
                    <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(cn=?))</Property>
                    <Property name="UserNameAttribute">cn</Property>
                    <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
                    <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
                    <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
                    <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
                    <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
                    <Property name="ReadGroups">true</Property>
                    <Property name="WriteGroups">true</Property>
                    <Property name="EmptyRolesAllowed">false</Property>
                    <Property name="GroupSearchBase">ou=groups,dc=wso2,dc=org</Property>
                    <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
                    <Property name="GroupEntryObjectClass">groupOfNames</Property>
                    <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
                    <Property name="GroupNameAttribute">cn</Property>
                    <Property name="SharedGroupNameAttribute">cn</Property>
                    <Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
                    <Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
                    <Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
                    <Property name="SharedGroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
                    <Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
                    <Property name="SharedTenantNameAttribute">ou</Property>
                    <Property name="SharedTenantObjectClass">organizationalUnit</Property>
                    <Property name="MembershipAttribute">member</Property>
                    <Property name="UserRolesCacheEnabled">true</Property>
                    <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
                    <Property name="MaxRoleNameListLength">100</Property>
                    <Property name="MaxUserNameListLength">100</Property>
                    <Property name="SCIMEnabled">false</Property>
                </UserStoreManager>


                <AuthorizationManager
                    class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
                    <Property name="AdminRoleManagementPermissions">/permission</Property>
                    <Property name="AuthorizationCacheEnabled">true</Property>
                </AuthorizationManager>
            </Realm>
        </UserManager>

Any help would be appreciated!

Thanks!

Answer 1

WSO2IS does not support to connect with startTLS. You can find an open jira for this. However, you can connect with normal SSL/TLS. Yes..then you need to import the openLDAP certificate in to resources/security/client-truststore.jks and connect to the SSL LDAPS port of the openLDAP