Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SASL bind failed

843811Mar 31 2005 — edited Apr 6 2005
Hi,

I really hate this stuff! Just finished setting up sasl, kerberos5 and openldap2.2.20 on a linux box (slackware, latest). Wrote my test client and get the following error on the xp box i'm running it from...

(falls over at call to 'DirContext ctx = new InitialDirContext(env);')
Attempting to log in....
 - logged in
Running privileged task...
 - getting DirContext
javax.naming.CommunicationException: SASL bind failed: lx-roberth.int.mediasurface.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:220)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
	at javax.naming.InitialContext.init(InitialContext.java:223)
	at javax.naming.InitialContext.<init>(InitialContext.java:197)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
	at TestClient.run(TestClient.java:75)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:337)
	at TestClient.main(TestClient.java:41)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:843)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:675)
	at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
	at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
	at java.io.BufferedInputStream.read1(BufferedInputStream.java:256)
	at java.io.BufferedInputStream.read(BufferedInputStream.java:313)
	at com.sun.jndi.ldap.Connection.run(Connection.java:780)
	at java.lang.Thread.run(Thread.java:595)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
	at sun.security.validator.Validator.validate(Validator.java:203)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
	at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:836)
	... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
	... 17 more
heres the test client... 
import java.io.*;
import java.util.*;
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

public class TestClient implements java.security.PrivilegedAction
{

	public static void main(String[] args)
	{
      try
      {
         SSONCallbackHandler callbackHandler = new SSONCallbackHandler("admin", "admin");

         java.util.Properties p = new java.util.Properties(System.getProperties());
         p.setProperty("java.security.krb5.realm", "EXAMPLE.COM");
         p.setProperty("java.security.krb5.kdc", "linuxbox.example.com");
         p.setProperty("java.security.auth.login.config", "c:\\jaas.conf");
         System.setProperties(p);
         // Log in (to Kerberos)
         LoginContext lc = new LoginContext("SampleClient", callbackHandler);

System.out.println("Attempting to log in....");

         // Attempt authentication
         lc.login();
System.out.println(" - logged in");

System.out.println("Running privileged task...");

         Subject.doAs(lc.getSubject(), new TestClient());
      }
      catch (LoginException le)
      {
         le.printStackTrace();
      }
      catch (Throwable t)
      {
         t.printStackTrace();
      }
	}


   public Object run()
   {
      try
      {
         Properties ldapProps = new Properties();
         InputStream is = getClass().getClassLoader().getResourceAsStream("ldap.properties");
         ldapProps.load(is);

         Properties env = new Properties();
         env.setProperty(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapProps.getProperty("LDAPHost") + ":" + ldapProps.getProperty("LDAPPort") + "/");
         env.setProperty(javax.naming.Context.PROVIDER_URL, "ldaps://linuxbox.example.com:636/dc=example,dc=com");
         env.setProperty(javax.naming.Context.SECURITY_AUTHENTICATION, "GSSAPI");
System.out.println(" - getting DirContext");

         DirContext ctx = new InitialDirContext(env);
System.out.println("   - done");

      }
      catch (IOException ioe)
      {
         ioe.printStackTrace();
      }
      catch (NamingException ne)
      {
         ne.printStackTrace();
      }
      return null;
   }
}
All I know about certificates is what I've had to read to create them on the server. It was my understanding that i didnt need any kind of cert on the client side.

Any help/pointers would be much appreciated.

Ted.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 4 2005
Added on Mar 31 2005
#other-security-apis-tools-and-issues
2 comments
1,455 views