Customer Portal

LDAP connection failed - Error: simple bind failed

Comments 11

  • Avatar
    avackova
    0
    Comment actions Permalink
    Hello Pro7,
    it should work. You can define the parameters in workspace.prm file, other file (see attached example project) or directly in the graph.
  • Avatar
    pro7
    0
    Comment actions Permalink
    I have parameters in workspace.prm file and password directly in graph. I am able to access our test LDAP but I can't get to our production LDAP. I know I'm using correct credentials and url because I can access outside of clover. I tried a number of things, like adding the port to the url. I tried with and without a s in the url (ldaps\:). I suspect the problem has to do with SSL but I'm not sure what else to try.

    pro7
  • Avatar
    avackova
    0
    Comment actions Permalink
    Hello,
    I believe, that importing the server certificate to the java key store could help. Please see keytool - Key and Certificate Management Tool and nice example on Adding a server's certificate to Java's keystore.
  • Avatar
    pro7
    0
    Comment actions Permalink
    Thanks, I got the cert from the ldap server and successfully imported into cacerts file located in

    C:\Program Files (x86)\CloverETL Designer\jdk1.6.0_20\jre\lib\security

    But it didn't help the situation. I am still getting an error.


    INFO [main] - Checking graph configuration...
    ERROR [main] - Graph configuration is invalid.
    ERROR [main] - [LDAPReader:LDAP_READER0] - LDAP connection failed.
    ERROR [main] - Error during graph initialization !
    Element [1314360472591:DFTestLDAP]-Graph configuration is invalid.
    at org.jetel.graph.runtime.EngineInitializer.initGraph(EngineInitializer.java:166)
    at org.jetel.graph.runtime.EngineInitializer.initGraph(EngineInitializer.java:147)
    at org.jetel.main.runGraph.runGraph(runGraph.java:364)
    at org.jetel.main.runGraph.main(runGraph.java:328)


    pro7
  • Avatar
    avackova
    0
    Comment actions Permalink
    Hello,
    we would need to get more info about the reason of failing. Is this the only information in the log? Even when changing the log level into ALL? You can also try to run the graph without checking the configuration:
    Run Configurations .png
    Then CloverETL would be more "talkative" and print out the full stack trace.
    If it doesn't bring any additional information, you can try to use DBInputTable with JDBC->LDAP Bridge instead of LDAPReader.
  • Avatar
    pro7
    0
    Comment actions Permalink
    Thanks. I changed Log Level and have more info in the stack trace.

    Caused by: javax.naming.CommunicationException: simple bind failed: dc1.delhi.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    at javax.naming.InitialContext.init(InitialContext.java:223)
    at javax.naming.InitialContext.<init>(InitialContext.java:197)
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
    at com.linagora.ldap.LdapManager.openContext(LdapManager.java:177)
    at com.linagora.ldap.LdapParser.init(LdapParser.java:153)
    ... 7 more
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
    at com.sun.jndi.ldap.Connection.run(Connection.java:807)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
    ... 12 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 18 more
  • Avatar
    avackova
    0
    Comment actions Permalink
    Hello,
    this error means, that the required certificate is still missing in your key store. To see all the examined certificates set -Djavax.net.debug=all variable, when running the graph:
    Run Configurations .png
    Please try once more following steps:
    • Obtain the server's public key:
      The public/private key pair will live somewhere on the server. The public key should be located and copied to your computer. For example:
      scp root@dc1.xxx.yyy:/etc/ssl/certs/imapd.pem .

      If you have openssl installed locally, the key can be retrieved with a command like:
      openssl s_client -connect dc1.xxx.yyy:636
      CONNECTED(00000003)
      depth=1 /C=CZ/ST=Czech Republic/L=Prague/O=Javlin a.s./OU=admin/CN=javlin.eu/emailAddress=javlin@support.digitwins.com
      .....
      .....
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIICiTCCAfKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJBVTEM
      MAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxEjAQBgNVBAoTCUF0bGFzc2lh
      bjEaMBgGA1UEAxMRY3ZzLmF0bGFzc2lhbi5jb20xITAfBgkqhkiG9w0BCQEWEmlu
      Zm9AYXRsYXNzaWFuLmNvbTAeFw0wNTA5MjMwNjUyNTNaFw0wNjA5MjMwNjUyNTNa
      MH8xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTES
      MBAGA1UEChMJQXRsYXNzaWFuMRowGAYDVQQDExFjdnMuYXRsYXNzaWFuLmNvbTEh
      MB8GCSqGSIb3DQEJARYSaW5mb0BhdGxhc3NpYW4uY29tMIGfMA0GCSqGSIb3DQEB
      AQUAA4GNADCBiQKBgQDhwAgx/gDgKe9tBjUCj7JtVkwQSzj2Dq0PHiJu1AWUYWFW
      ivbBWaWSYbt/w9vIRSL8OlGVOLnlFOH5o7QIpIBZvd3xBMv6DxMijM86/hu8QTPt
      KcMuqBTGpu1T846SzNncj883wSE1hXxezCgEFCsqyC7dVX4l0Ay6zgzkt2wc3QID
      AQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADgYEAJOgg
      O4brCcQa3IgONo8UmLcHo6Rq+Py6ZA3ueUegy/uyQ358JUeL4kktXuYL9gAPCuMc
      hsC1iyaOrWY/S9S67w2ZWqc+uYX9ophFHkxK1r3YiaiMpEzMyB12VWSrOITcR0LV
      7NTWfxfPLUpkDbj+Mw/66QJkI0lqBvcKn3KXI74=
      -----END CERTIFICATE-----
      Cut and paste the certificate (including BEGIN and END lines) into a local file (eg. imapd.pem).

    • Import the public key:
      sudo keytool -import -alias dc1.xxx.yyy -keystore $JAVA_HOME/jre/lib/security/cacerts -file imapd.pem

      This will import the public key (imapd.pem) into Java's default keystore, and marks it as trusted.
  • Avatar
    pro7
    0
    Comment actions Permalink
    Thanks. I found my mistake. I knew I was supposed to be working in the \CloverETL Designer\
    path but for some dumb reason, I was in my Java path when I did the import the first time. I have imported to the correct cacert file and it is working now. Thanks for all your help and patience.

    pro7
  • Avatar
    pro7
    0
    Comment actions Permalink
    Agata, I'm facing another problem related to ldap. I am back on my test system and trying to run a test that does an actual update to the ldap (active directory). I imported the certificate from the ldap into the cacerts file used by clover etl designer on my client machine (windows 7). I have a very simple graph setup to run this test. The error I'm getting looks like this:

    javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0


    Any ideas what the problem might be? I have been looking at various forums for a fix but I'm not finding anything very useful.

    Thanks
  • Avatar
    pro7
    0
    Comment actions Permalink
    err 0000052D
    # for hex 0x52d / decimal 1325 :
    ERROR_PASSWORD_RESTRICTION winerror.h
    # Unable to update the password. The value provided for the
    # new password does not meet the length, complexity, or
    # history requirement of the domain.
    # 1 matches found for "0000052D"

    Strange because I am not trying to update a password. I'm trying to replace the value in userAccountControl attribute to enable a user.
  • Avatar
    mkrivanek
    0
    Comment actions Permalink
    http://www.eggheadcafe.com/microsoft/Wi ... sword.aspx

    If the domain pwd policy requires passwords, then you have to set a password before enabling.


    I suppose that the current password of the account you are trying to enable does not match the password policy.

Please sign in to leave a comment.