Infrastructure Software

Hi,

we are using VDI 3.2 and wanted to use an additional LDAP Infrastructure to authenticate our users. This LDAP service requires a secure bind with proxy user. We set up the connection to the LDAP server and try to authenticate, but the login fails. To me the error messages hint to a problem in the certificate chain. In which file(s) and how can additional certificates be imported to successfully use the authentication? Or am I missing out on some other problem?

The following is an excerpt of the log file /var/cacao/instances/default/logs/cacaoadm.log with full logging for directory services enabled.

(The requested DN for the user logging in can be found, see line including -> DN=...)
FINEST: thr#56 search of ou=users,ou=data,ou=prod,ou=iapp,dc=tum,dc=de scope(2) filter((uid=ne59xox)) atts([]) took 13ms
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.DirectoryServiceContext authenticate
FINE: thr#56 Authenticated ne59xox@mytum.de to 31 [DirectoryResponse(code=0,message='Success')]
Oct 12, 2010 5:40:04 PM com.sun.vda.service.ldap.UserDirConnection searchForUser
FINEST: thr#56 end loginHelper.searchForUser
Oct 12, 2010 5:40:04 PM com.sun.vda.service.ldap.UserDirConnection searchForUser
FINEST: thr#56 searchForUser for ne59xox@mytum.de succeeds -> DN=cn=ne59xox,ou=users,ou=data,ou=prod,ou=iapp,dc=tum,dc=de
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.util.ResourceManager loadAll
FINEST: thr#56 Loading resources for com.sun.directoryservices.service#service
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.DirectoryServiceContext <init>
FINE: thr#56 Creating service (0) ldaps://iapp.tum.de[636]/ou=users,ou=data,ou=prod,ou=iapp,dc=tum,dc=de
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.util.ResourceManager getString
FINEST: thr#56 Missing resource for : ERROR_SHORTCUT_MAP
Oct 12, 2010 5:40:04 PM com.sun.directoryservices.service.DirectoryService initQueryHelper
FINEST: thr#56 Initializing Query Helper
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.util.ResourceManager loadAll
FINEST: thr#56 Loading resources for com.sun.directoryservices.search#search
Oct 12, 2010 5:40:04 PM com.sun.directoryservices.service.DirectoryService initLoginHelper
FINEST: thr#56 Initializing Login Helper
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.util.ResourceManager loadAll
FINEST: thr#56 Loading resources for com.sun.directoryservices.auth#auth
Oct 12, 2010 5:40:04 PM com.sun.directoryservices.service.DirectoryService connect
FINEST: thr#56 Connecting service context
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.DirectoryServiceContext connect
FINE: thr#56 Connecting to ldaps://iapp.tum.de[636]/ou=users,ou=data,ou=prod,ou=iapp,dc=tum,dc=de
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.util.ResourceManager loadAll
FINEST: thr#56 Loading resources for com.sun.sgd.directoryservices.core.connect#connector
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.connect.Connection createEnvironment
FINEST: thr#56 Environment for iapp.tum.de:636 is : {service.CONTEXT_FACTORY=com.sun.jndi.ldap.LdapCtxFactory, auth.UNIQUE_USER_ATTRIBUTES=[Ljava.lang.Object;@613a6f, service.caps.SUPPORTED_CAPS_ATTRIBUTES=supportedCapabilities, com.sun.jndi.ldap.connect.timeout=10000, auth.FILTER_VAR_IDENTIFIER=${, service.caps.VERSION_ATTRIBUTES=[Ljava.lang.Object;@143642c, service.dns.QUERY_CLASS=IN, java.naming.ldap.derefAliases=never, search.TOKENGROUPS_ATTRIBUTES=[Ljava.lang.Object;@16596ca, search.USER_OBJECT_FILTER=(|(objectclass=user)(objectclass=person)(objectclass=inetOrgPerson)(objectclass=organizationalPerson)), auth.FILTER_VAR_TERMINATOR=}, service.ads.PORT=3269, service.ads-domain.PORT=636, auth.IGNORED_ID_ATTRIBUTES=[Ljava.lang.Object;@8eb6d9, search.OBJECTSID_ATTRIBUTES=objectSid, search.LOOKUP_CACHE_TIMEOUT=1200, search.NESTED_GROUP_DEPTH=0, service.caps.SUPPORTED_CONTROLS_ATTRIBUTES=supportedControls, search.BINARY_ATTRIBUTES=netlogon tokenGroups objectSid tokenGroupsGlobalAndUniversal, search.GROUP_OBJECT_FILTER=(|(objectclass=group)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)), service.FORCE_ABSOLUTE_DN=false, java.naming.security.credentials=[C@1ea9cd8, core.auth.USER_MANAGER=com.sun.sgd.directoryservices.core.auth.managers.StandardLDAPUserManager@1869e64, service.dns.LDAP_PREFIX=_ldap._tcp, service.ldap.PORT=389, connector.MAX_RESET_ATTEMPTS=2, java.naming.ldap.attributes.binary=netlogon tokenGroups objectSid tokenGroupsGlobalAndUniversal, java.naming.provider.url=ldaps://iapp.tum.de:636, auth.PWD_EXPIRY_WARNING_THRESHOLD=604800, auth.USER_ID_FILTER=(|(cn=${name})(uid=${name})(mail=${name})), service.SERVICE_URLS=ldaps://iapp.tum.de[636]/ou=users,ou=data,ou=prod,ou=iapp,dc=tum,dc=de, java.naming.referral=ignore, search.GROUP_CACHE_TIMEOUT=1200, service.caps.AD_CAPS_OIDS=[Ljava.lang.Object;@108e941, java.naming.security.principal=cn=TUINFAK-TUMotrs,ou=bindDNs,ou=iapp,dc=tum,dc=de, service.ad.USE_DNS_PORT=false, service.ad.forest.DOMAIN_ID_FILTER=(objectclass=domain), service.KRB_SECURITY_LEVEL=auth, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=10000, java.naming.security.authentication=simple, connector.MAX_RETRY_ATTEMPTS=3, service.AUTHENTICATION_CREDENTIALS=cn=TUINFAK-TUMotrs,ou=bindDNs,ou=iapp,dc=tum,dc=de(DN:cn=TUINFAK-TUMotrs,ou=bindDNs,ou=iapp,dc=tum,dc=de), search.OBJECT_MEMBER_ATTRS=[Ljava.lang.Object;@9d1ea, search.GROUP_MEMBER_ATTRS=[Ljava.lang.Object;@b45bb8, auth.PWD_EXPIRY_FAILURE_THRESHOLD=86400, service.ad.PORT=3268, service.NAMING_SYNTAX={jndi.syntax.escape=\, jndi.syntax.separator=,, jndi.syntax.direction=right_to_left, jndi.syntax.separator.typeval==, jndi.syntax.trimblanks=true, jndi.syntax.separator.ava=+, jndi.syntax.ignorecase=true}, service.ldaps.PORT=636, service.REFERRAL_POLICY=ignore, service.dns.GC_PREFIX=_gc._tcp, auth.ATTEMPT_DISAMBIGUATION=true, java.naming.ldap.factory.socket=com.sun.vda.service.util.CustomSSLSocketFactory, ldaps://iapp.tum.de[636]/ou=users,ou=data,ou=prod,ou=iapp,dc=tum,dc=de=com.sun.directoryservices.control.DirectoryControls@f19dce, service.ad-domain.PORT=389, service.OPERATION_TIMEOUT=10}
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.connect.SimpleBindConnection connect
FINEST: thr#56 Connecting to iapp.tum.de:636
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.connect.DirectoryConnector connect
FINE: thr#56 Exception caught while connecting to iapp.tum.de:636 : javax.naming.CommunicationException: simple bind failed: iapp.tum.de:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected]
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.error.ErrorHandler handleError
FINE: thr#56 Processing javax.naming.CommunicationException: simple bind failed: iapp.tum.de:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected]
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.error.ErrorHandler handleError
FINEST: thr#56 Handling error:
javax.naming.CommunicationException: simple bind failed: iapp.tum.de:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2669)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:289)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at com.sun.sgd.directoryservices.core.connect.SimpleBindConnection.connect(SimpleBindConnection.java:60)
at com.sun.sgd.directoryservices.core.connect.DirectoryConnector.connect(DirectoryConnector.java:171)
at com.sun.sgd.directoryservices.core.service.GenericDirectoryService.connect(GenericDirectoryService.java:220)
at com.sun.sgd.directoryservices.core.DirectoryServiceContext.connect(DirectoryServiceContext.java:221)
at com.sun.sgd.directoryservices.core.DirectoryServiceContext.connect(DirectoryServiceContext.java:201)
at com.sun.directoryservices.service.DirectoryService.connect(DirectoryService.java:122)
at com.sun.vda.service.ldap.UserDirConnection.getBaseDN(UserDirConnection.java:312)
at com.sun.vda.service.ldap.UserDirConnection.getBaseDn(UserDirConnection.java:911)
at com.sun.vda.service.ldap.UserDirConnection.searchForUser(UserDirConnection.java:448)
at com.sun.vda.service.core.UserDirectory.searchForUser(UserDirectory.java:237)
at com.sun.vda.service.userdir.Client.getUserDn(Client.java:157)
at com.sun.vda.service.userdir.Client.getUser(Client.java:56)
at com.sun.vda.service.client.PreferredServers.getPreferredServers(PreferredServers.java:52)
at com.sun.vda.service.client.PreferredServers.execute(PreferredServers.java:37)
at com.sun.vda.service.client.ClientRequestWorker.execute(ClientRequestWorker.java:158)
at com.sun.vda.service.client.ClientRequestWorker.run(ClientRequestWorker.java:73)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:393)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
... 29 more
Caused by: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected
at com.sun.vda.service.util.CustomTrustManager.checkServerTrusted(CustomTrustManager.java:70)
at com.sun.vda.service.util.CustomTrustManager.checkServerTrusted(CustomTrustManager.java:44)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 41 more
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.error.ErrorHandler getShortcutAction
FINEST: thr#56 No shortcut action defined for: javax.naming.CommunicationException: simple bind failed: iapp.tum.de:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected]
Oct 12, 2010 5:40:04 PM com.sun.sgd.directoryservices.core.error.ErrorHandler handleError
FINE: thr#56 Invoking failover action for javax.naming.CommunicationException: simple bind failed: iapp.tum.de:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.sun.vda.service.util.CustomTrustManager$CertificateNotFoundException: An untrusted server certificate was detected]

Kind regards and thanks in advance for your help,
Christoph Erdle