I'm currently running an instance of OpenLDAP 2.4.45 as my authenticator for a Talend ESB container. I'm connecting to the LDAP using TLS and I've managed to get my JMS broker to connect and make use of the LDAP successfully using org.apache.activemq.jaas.LDAPLoginModule, however, when using org.apache.karaf.jaas.modules.ldap.LDAPLoginModule for web services, I get the following stack trace:
2017-08-11 19:04:13,828 | WARN | qtp272427408-140 | LDAPLoginModule | 126 - org.apache.karaf.jaas.modules - 4.0.8 | Can't connect to the LDAP server: Unable to setup SSL support for LDAP: null
javax.naming.NamingException: Unable to setup SSL support for LDAP: null
at org.apache.karaf.jaas.modules.ldap.LDAPOptions.setupSsl(LDAPOptions.java:178)
at org.apache.karaf.jaas.modules.ldap.LDAPOptions.getEnv(LDAPOptions.java:158)
at org.apache.karaf.jaas.modules.ldap.LDAPCache.open(LDAPCache.java:113)
at org.apache.karaf.jaas.modules.ldap.LDAPCache.doGetUserDnAndNamespace(LDAPCache.java:151)
at org.apache.karaf.jaas.modules.ldap.LDAPCache.getUserDnAndNamespace(LDAPCache.java:142)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin(LDAPLoginModule.java:115)
at org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.login(LDAPLoginModule.java:54)
at org.apache.karaf.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java:83)[org.apache.karaf.jaas.boot-4.0.8.jar:]
at sun.reflect.GeneratedMethodAccessor104.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_131]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)[:1.8.0_131]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)[:1.8.0_131]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)[:1.8.0_131]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)[:1.8.0_131]
at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_131]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)[:1.8.0_131]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)[:1.8.0_131]
at org.apache.cxf.interceptor.security.JAASLoginInterceptor.handleMessage(JAASLoginInterceptor.java:141)[67:org.apache.cxf.cxf-core:3.1.10]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)[67:org.apache.cxf.cxf-core:3.1.10]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[67:org.apache.cxf.cxf-core:3.1.10]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)[19:javax.servlet-api:3.1.0]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)[92:org.apache.cxf.cxf-rt-transports-http:3.1.10]
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)[200:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)[200:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71)[223:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)[198:org.eclipse.jetty.security:9.2.19.v20160908]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:287)[223:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[200:org.eclipse.jetty.servlet:9.2.19.v20160908]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)[223:org.ops4j.pax.web.pax-web-jetty:4.3.0]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.Server.handle(Server.java:499)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[199:org.eclipse.jetty.server:9.2.19.v20160908]
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)[191:org.eclipse.jetty.io:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[202:org.eclipse.jetty.util:9.2.19.v20160908]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[202:org.eclipse.jetty.util:9.2.19.v20160908]
at java.lang.Thread.run(Thread.java:748)[:1.8.0_131]
My configuration file for my authenticator:
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="KarafLdapConfiguration" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
connection.url=ldaps://ldap:4444
connection.username=uid=user,ou=users,dc=base
connection.password=password
authentication=simple
user.base.dn=ou=users,dc=base
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=ou=groups,dc=base
role.filter=(uniquemember=%fqdn)
role.name.attribute=uid
role.search.subtree=true
ssl=true
ssl.protocol=TLS
ssl.algorithm=PKIX
ssl.keystore=store
ssl.keyalias=myalias
ssl.truststore=trust
</jaas:module>
</jaas:config>
<jaas:keystore name="store"
path="file:///some/path/keystore.jks
keystorePassword="secret"
keyPasswords="secret" />
<jaas:keystore name="trust"
path="file:///some/path/truststore.jks
keystorePassword="secret" />
</blueprint>
My suspicion here is that I'm missing the ssl.provider option in this configuration file. The documentation isn't clear on what this is expecting, though the source seems to be looking for a URI of some sort. I've spent quite a bit of time searching, but I can't find any information on what and SSL provider is outside of the companies that provide CA services. I don't know what URI this could be looking for. I'm not doing revocation checking, so not that. Any thoughts on what could be going wrong here?
I ended up solving this a few days ago, figure I'll document the solution in case it helps anyone in the future.
The issue did turn out to be a missing ssl.provider field in the configuration file. The part that took some figuring out was the actual URI that was required. In my earlier experimentation, I was missing the base DN for the LDAP. Ultimately, the field should look like
ssl.provider=ldaps://<somehostname>:<port>/<baseDN>
so what I ended up with was
<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0">
<jaas:config name="KarafLdapConfiguration" rank="1">
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
connection.url=ldaps://ldap:4444
connection.username=uid=user,ou=users,dc=base
connection.password=password
authentication=simple
user.base.dn=ou=users,dc=base
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=ou=groups,dc=base
role.filter=(uniquemember=%fqdn)
role.name.attribute=uid
role.search.subtree=true
ssl=true
ssl.protocol=TLS
ssl.algorithm=PKIX
ssl.provider=ldaps://ldap:4444/dc=baseDN
ssl.keystore=store
ssl.keyalias=myalias
ssl.truststore=trust
</jaas:module>
</jaas:config>
<jaas:keystore name="store"
path="file:///some/path/keystore.jks
keystorePassword="secret"
keyPasswords="secret" />
<jaas:keystore name="trust"
path="file:///some/path/truststore.jks
keystorePassword="secret" />
</blueprint>