user24830391
Reputation: 1
Java LDAP client connect OpenLDAP server(startTls) failed:( LDAP: error code 13 - TLS confidentiality required)
There was an error when config ldap(startTLS) for gerrit.
I have configed ldap server with startTLS and it works well.
ldapsearch -x -W -ZZ -H ldap://test.com -D cn=admin,ou=manager,dc=test,dc=com -b dc=test,dc=com, this will return result as expected.ldapsearch -x -W -H ldap://test.com -D cn=admin,ou=manager,dc=test,dc=com -b dc=test,dc=com, this returns errorldap_bind: Confidentiality required (13), additional info: TLS confidentiality required, also work as expected without-ZZ
etc/gerrit.conf as following:
[gerrit]
basePath = git
canonicalWebUrl = http://localhost:8080/
serverId = 956c31a1-1d24-4893-ad73-ca7aa0e9cbfc
[container]
javaOptions = "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
javaOptions = "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
user = root
javaHome = /usr/lib/jvm/java-17-openjdk-amd64
[index]
type = lucene
[auth]
type = LDAP
gitBasicAuthPolicy = LDAP
[receive]
enableSignedPush = false
[sendemail]
smtpServer = test.com
smtpEncryption = TLS
smtpUser = gerrit
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8080/
[cache]
directory = cache
[ldap]
startTls = true
server = ldap://test.com
username = cn=admin,ou=manager,dc=test,dc=com
accountBase = ou=People,dc=test,dc=com
groupBase = ou=Group,dc=test,dc=com
When Login from gerrit web, it failed with the error log: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required],
My Environment:
uname -a: Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linuxjava -version: openjdk version "17.0.11" 2024-04-16slapd -V:OpenLDAP: slapd 2.5.13+dfsg-5gerrit: gerrit-3.9.4.war
I have also tried a simple java client, while it returned the same error.
Attach:
LdapStartTlsDemo.java
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.util.Hashtable;
import java.util.Properties;
public class LdapStartTlsDemo {
public static void main(String[] args) {
try {
// 设置LDAP连接参数
Hashtable<String, Object> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://test.com"); // LDAP server
env.put(Context.SECURITY_AUTHENTICATION, "simple"); // type
env.put(Context.SECURITY_PRINCIPAL, "cn=admin,ou=manager,dc=test,dc=com"); // DN
env.put(Context.SECURITY_CREDENTIALS, "secret"); // pw
env.put("java.naming.security.protocol", "tls"); // TLS
env.put("java.naming.ldap.starttls.required", "true"); // force StartTLS
System.setProperty("javax.net.ssl.trustStore", "/etc/ldap/tls/CA.pem");
// System.setProperty("javax.net.ssl.trustStorePassword", "truststore_password");
System.setProperty("javax.net.debug", "ssl,handshake");
LdapContext ctx = new InitialLdapContext(env, null);
System.out.println("Connected to LDAP server using StartTLS.");
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(objectClass=person)";
String[] returnedAtts = {"cn", "sn", "mail"};
searchCtls.setReturningAttributes(returnedAtts);
NamingEnumeration<SearchResult> answer = ctx.search("ou=Users,dc=example,dc=com", searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = answer.next();
Attributes attrs = sr.getAttributes();
System.out.println("Found User: " + attrs.get("cn").get());
System.out.println("SN: " + attrs.get("sn").get());
System.out.println("Email: " + attrs.get("mail").get());
System.out.println("-------------------");
}
// 关闭连接
ctx.close();
System.out.println("Connection closed.");
} catch (Exception e) {
e.printStackTrace();
}
}
}
- Java Exception stacktrace
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3251)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2992)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2906)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.google.gerrit.auth.ldap.Helper.createContext(Helper.java:175)
at com.google.gerrit.auth.ldap.Helper.open(Helper.java:218)
at com.google.gerrit.auth.ldap.LdapRealm.authenticate(LdapRealm.java:242)
at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:144)
at com.google.gerrit.httpd.auth.ldap.LdapLoginServlet.doPost(LdapLoginServlet.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:293)
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:283)
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
at com.google.gerrit.httpd.raw.StaticModule$PolyGerritFilter.doFilter(StaticModule.java:395)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.GetUserFilter.doFilter(GetUserFilter.java:92)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.UniversalWebLoginFilter.doFilter(UniversalWebLoginFilter.java:75)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.SetThreadNameFilter.doFilter(SetThreadNameFilter.java:62)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:139)
at com.google.gerrit.httpd.AllowRenderInFrameFilter.doFilter(AllowRenderInFrameFilter.java:56)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:141)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:60)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:92)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:64)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:54)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.base/java.lang.Thread.run(Thread.java:840)
- stacktrace of the simple demo
root@test:~/ldap# java -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djavax.net.debug=all LdapStartTlsDemo
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3251)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3206)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2992)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2906)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:732)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at LdapStartTlsDemo.main(LdapStartTlsDemo.java:34)
Upvotes: 0
Views: 94
Answers (0)
Related Questions
- Gerrit shows LDAP: error code 48 - anonymous bind disallowed
- OpenLDAP - Enabling CRL check for LDAP TLS connections
- javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
- Should my LDAP client application have option to use "ldaps" and/or "StartTLS"?
- client failing to connect to ldap server
- LDAP error in Tomcat - TLS confidentiality required