SSL and LDAP?

KSanders
2013-03-20
2013-06-12
  • KSanders

    KSanders - 2013-03-20

    I've successfully added my Zimbra server's CA cert to the Tomcat keystore per the instructions at http://wiki.mxhero.com:8080/display/docs/LDAP

    But I am unable to connect to the LDAP server with the SSL box checked. The "Test" button works fine without SSL but with SSL it throws an error that is hidden behind the Account/Aliases dialog box.


    Any assistance would be greatly appreciated.

     
  • KSanders

    KSanders - 2013-03-20


    Don't see an edit button but I pasted the wrong URL for the screen shot.

     
  • Marcelo Angel Marmol

    Ok, looks that the error displays needs an improvement… I will add it as an issue to our roadmap.

    Please, take the log from /var/lib/tomcat6/logs/catalina.out, and send it to me as a private message so we can figure out what is happening.

    Cheers,

     
  • Marcelo Angel Marmol

    From your log It looks to me that the remote server is not letting you access that port for the ssl connection. Just to be sure did you try accesing from the server where you are running mxHero console using command line like this ?

    telnet hostip 389

    Did that work?

     
  • KSanders

    KSanders - 2013-03-20

    Telnet works fine, no errors. Additionally the LDAP configuration works fine when the SSL box is unchecked, but only fails with the SSL box checked. All other settings are the same.

     
  • Marcelo Angel Marmol

    Ok, can you check that tomcat is in fact running with the JDK inside mxHero where you installed the SSL certificates?

    If not that may be the problem. You can try to make tomcat run with the same JDK than mxHero, or see if adding this parameters to tomcat start helps:

    -Djavax.net.ssl.trustStore="<path to truststore file>"
    -Djavax.net.ssl.trustStorePassword="<passphrase for truststore>"

    Let me know if that solves the problem, we may want to check our mxHero installer.

     
  • KSanders

    KSanders - 2013-03-20

    I ran ldapsearch against the Zimbra server from the MXHero system. It worked fine with and without TLS.

     
  • KSanders

    KSanders - 2013-03-20

    Sure I'll double check Tomcat right now. Thanks

     
  • KSanders

    KSanders - 2013-03-20

    In fact it is not running with the java that was installed with MXHero under /opt

    It's running with the system java.

    This was installed using the downloaded installer for what that's worth, maybe I missed a step during the install or the installer did something unexpected?

    I added the path to the keystore and restarted mxhero and tomcat, but that did not fix the issue.

    I'll switch the java tomcat is using and will advise.

     
  • KSanders

    KSanders - 2013-03-20

    Switching Tomcat to use MXHero's java did not fix it.

    System Java: java version "1.6.0_27"
    OpenJDK Runtime Environment (IcedTea6 1.12.1) (6b27-1.12.1-2ubuntu0.11.10.2)
    OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

    MXHero Java: java version "1.6.0_30"
    Java(TM) SE Runtime Environment (build 1.6.0_30-b12)
    Java HotSpot(TM) 64-Bit Server VM (build 20.5-b03, mixed mode)

     
  • Marcelo Angel Marmol

    Try to configure that when tomcat runs. If this not help we will need to create an issue and do some research.
    -Djavax.net.ssl.trustStore="<path to truststore file>"
    -Djavax.net.ssl.trustStorePassword="<passphrase for truststore>"

    Also, the engine should work, can you save configuration without test an see if the server gets information ? The console and the actually importer of the accounts are different process.

    Regards,

     
  • KSanders

    KSanders - 2013-03-20

    I tried specifying the trustStore manually, to no avail.

    I did an ssldump of the transaction, if perhaps that helps.

    New TCP connection #1: XXXXXXX(37558) <-> XXXXXXXXXX(389)
    1 1  0.0019 (0.0019)  C>S SSLv2 compatible client hello
      Version 3.1
      cipher suites
      TLS_RSA_WITH_RC4_128_MD5
      SSL2_CK_RC4
      TLS_RSA_WITH_RC4_128_SHA
      Unknown value 0x2f
      Unknown value 0x33
      Unknown value 0x32
      TLS_RSA_WITH_3DES_EDE_CBC_SHA
      SSL2_CK_3DES
      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
      TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
      TLS_RSA_WITH_DES_CBC_SHA
      SSL2_CK_DES
      TLS_DHE_RSA_WITH_DES_CBC_SHA
      TLS_DHE_DSS_WITH_DES_CBC_SHA
      TLS_RSA_EXPORT_WITH_RC4_40_MD5
      SSL2_CK_RC4_EXPORT40
      TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
      TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
      TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
      Unknown value 0xff
    1    0.0021 (0.0001)  S>C  TCP FIN
    1 2  0.0027 (0.0006)  C>SV3.1(2)  Alert
        level           fatal
        value           handshake_failure
    1    0.0028 (0.0000)  C>S  TCP FIN

     
  • KSanders

    KSanders - 2013-03-20

    MXHero works fine with SSL disabled, by the way.

     
  • Marcelo Angel Marmol

    sorry, I will have to add an issue on our system, I can't figure right now what is wrong.

    Did you try to add the configuration without testing and see if it works? The real import is not done from tomcat, is done from the mxHero process. That could be a great indicator. If fails in both it may be what you mention, if not it looks more as something related to the webapp.

     
  • KSanders

    KSanders - 2013-03-20

    No worries, thanks.

    It does not throw an error when I save without testing, but the Last Update field does not change and changes made to the accounts on the Zimbra server do not relect in the Management > Domain > Email Accounts list.

     
  • Marcelo Angel Marmol

    If you click the refresh button on the last update, and you go out and come back after a minute, it does change? Shows anything?
    Also check the log on /opt/mxhero/logs/mxhero.log and see if you find any error related to the adsyn module. That would be helpful.

    Regards,

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks