openldap-technical

openldap-technical@openldap.org

9790 discussions

AW: Re: AW: Re: AW: StartTLS is not working
by Hauke Coltzau 09 Oct '08

09 Oct '08

Hi Dat, > I've added the below to /etc/openldap/ldap.conf on RHEL 5: > TLS_CACERT /etc/openldap/cacerts/ServerCA.chain.pem > TLS_REQCERT demand > > and still getting errors messages... below: > > TLS certificate verification: Error, self signed certificate The LDAP server does not send a server certificate but a self signed certificate. Are you sending the RootCA's certificate? Create a server certificate as described in the tutorial and let your LDAP server use this. I assume that you will have to read a bit more about certificates and openssl to understand all the steps of the mini tutorial. Rergards, Hauke ----- Original Message ---- From: Hauke Coltzau <hauke.coltzau(a)FernUni-Hagen.de> To: openldap-software <openldap-software(a)openldap.org> Cc: Dat Duong <datduong2000(a)yahoo.com> Sent: Wednesday, October 8, 2008 2:09:11 AM Subject: AW: Re: AW: StartTLS is not working Hi Dat, glad to see that the first problem has been solved now. As Dieter already pointed out, we need to know how the certificates have been created. As a rough overview, you will need to run through following steps: 0. Understand the basic idea: At the end of this MiniHowto, you will have three certification authorities: UserCA: For user certificates (usually password protected) ServerCA: For server certificates (usually NOT password protected) RootCA: The CA that everyone has to trust in the end. This CA only exists to create and verify the UserCA and ServerCA. For your LDAP server, you create a server certificate with your ServerCA. The LDAP clients will accept the LDAP certificate as long as they trust the ServerCA. They will trust the ServerCA because they trust the RootCA. To make them do so, you will need the certificates of the ServerCA AND the RootCA on each client. Just to make sure: We are not talking about copying the LDAP certificate to the client. Instead, you will copy the CA certificates to the client. 1. Create directory structure and files containing random numbers (need to be root for this): # Make sure uuencode is installed. On Debian based # systems, type # # apt-get install sharutils # cd /usr/lib/ssl/ for i in RootCA ServerCA UserCA; do mkdir -p $i/newcerts; mkdir $i/certs; mkdir $i/crl; mkdir $i/private; touch $i/index.txt; echo 01 > $i/serial; chmod -R g-rwx,o-rwx $i; done for i in `find /usr/lib/ssl/ -name private` do cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g" | tail -18 | xargs | sed "s/ //g" > $i/.rand chmod 770 $i/.rand ls -l $i/.rand done At the end of this step, you will have three subdirectories in /usr/lib/ssl: RootCA: Contains the root CA's self-signed certificate and private key as well as the certificates created by the root CA. ServerCA: Contains the CA which is used to create server certificates. Again, the directory contains of the server CA's certificate and key as well as the certificates created by the server CA. UserCA: Contains the CA which is used to create user certificates. 2. openssl.cnf Adapt your openssl.cnf (should be in /usr/lib/ssl, too) to have proper entries for each of the CAs: HOME = /usr/lib/ssl [ RootCA ] dir = /usr/lib/ssl/RootCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/RootCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/RootCA.key.pem RANDFILE = $dir/private/.rand policy = policy_match x509_extensions = ca_cert [ ServerCA ] dir = /usr/lib/ssl/ServerCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ServerCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ServerCA.key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert (Same with [ UserCA ]) There are more options to be set, but they depend on your environment. Have a look at the default_days, default_md, ... parameters. 1. Create a self signed certificate (RootCA): cd /usr/lib/ssl/RootCA # Create the private key first # You will be asked for a new pasword here. Make it a good one and remember it ;-) openssl genrsa -aes256 -out /usr/lib/ssl/RootCA/private/RootCA.key.pem -rand /usr/lib/ssl/RootCA/private/.rand 2048 chmod g-rwx,o-rwx /usr/lib/ssl/RootCA/private/RootCA.key.pem # Now create a certification request. Because the cert is self-signed, this # directly creates the RootCA's certificate. You will be asked for the # password you just created. # # All in one line: openssl req -new -x509 -days 1827 -key /usr/lib/ssl/RootCA/private/RootCA.key.pem -out /usr/lib/ssl/RootCA/RootCA.cert.pem # Copy the certificate to the certs directory and create a link named like # the cert's hash value cp RootCA.cert.pem certs/00.pem cd certs ln -s /usr/lib/ssl/RootCA/certs/00.pem `openssl x509 -hash -noout -in 00.pem`.0 Now you should have the cert (00.pem) and something like 1a2783e8.0 pointing to /usr/lib/ssl/RootCA/00.pem 2. Create the ServerCA cd /usr/lib/ssl/ServerCA # Create the private key for the ServerCA # You will be asked for a new password here. Do not make it the same as the RootCA's # password, but still - make it a good one. # openssl genrsa -aes256 -out /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -rand /usr/lib/ssl/ServerCA/private/.rand 2048 chmod g-rwx,o-rwx /usr/lib/ssl/ServerCA/private/ServerCA.key.pem # Create the certification request. You will be asked for the # newly created password. # (All in one line) openssl req -new -days 1827 -key /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -out /usr/lib/ssl/ServerCA/ServerCA.req.pem # Let the RootCA sign the request and create the certificate. # You will need the RootCA's password for this. # openssl ca -name RootCA -in /usr/lib/ssl/ServerCA/ServerCA.req.pem -out /usr/lib/ssl/ServerCA/ServerCA.cert.pem # Copy and link the certificate. # mv /usr/lib/ssl/RootCA/newcerts/01.pem /usr/lib/ssl/RootCA/certs/ cd /usr/lib/ssl/RootCA/certs/ ln -s 01.pem `openssl x509 -in 01.pem -hash -noout`.0 # And copy the part neccessary for browser integration into # another file (this is the part between BEGIN CERTIFICATE and END CERTIFICATE) # cd /usr/lib/ssl/ServerCA sed -n '/-----BEGIN CERTIFICATE-----/,$p' ServerCA.cert.pem > ServerCA.crt # Create the CACerts file used on the client side to verify a server cert mkdir /usr/lib/ssl/cacerts/ cat /usr/lib/ssl/RootCA/RootCA.cert.pem /usr/lib/ssl/ServerCA/ServerCA.cert.pem > /usr/lib/ssl/cacerts/ServerCA.chain.pem # The newly created file (ServerCA.chain.pem) is the CACertsFile which has to be copied # to every client. Create a /usr/lib/ssl/cacerts/ directory on the client side and copy # the file to that location. 3. Do the same with the User CA 4. Create your LDAP server certificate. As for the name in your cert, use the fqdn of the machine you are running the server on. cd /usr/lib/ssl/ServerCA # You will NOT need a password here # openssl genrsa -out <fqdn-of-your-server>.key.pem -rand ./private/.rand 2048 openssl req -new -key <fqdn-of-your-server>.key.pem -out <fqdn-of-your-server>.req.pem # But here, you will be asked for the ServerCA's password openssl ca -name ServerCA -in <fqdn-of-your-server>.req.pem -out <fqdn-of-your-server>.cert.pem Move and link the new certificate (in newcerts) as above. 5. Configure LDAP server and clients Make sure that your ldap server can read its own private key. If your ldap server is running as user openldap, make sure that this user owns the private key in /usr/lib/ssl/ServerCA/private/ Normal users should never be allowed to read the key! This would break the whole security mechanism. In your slapd.conf, you will have TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem And on client side ldap.conf: TLS_CACERT /usr/lib/ssl/cacerts/ServerCA.chain.pem TLS_REQCERT demand Hope this helps, Hauke p.s.: The description is strongly influenced by Frank Steidl's tutorial as it can be found at http://fra.nksteidl.de/Erinnerungen/OpenSSL.php ----- Ursprüngliche Mail ----- Von: "Dieter Kluenter" < dieter(a)dkluenter.de > An: openldap-technical(a)openldap.org Gesendet: Dienstag, 7. Oktober 2008 22:34:14 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: StartTLS is not working Dat Duong < datduong2000(a)yahoo.com > writes: > Hi Hauke, > > I still can't get TLS to work. Here is the error message. > > TLS certificate verification: Error, self signed certificate > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Please describe the parameters to create your certificate chain. I presume you have not signed your certificates with a known certificate authority. -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------ -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------

1 0

ldapadd error
by Kermito le kermit 08 Oct '08

08 Oct '08

hello all i am new to openldap and i have some problem to use, i follow the exemple in quick start guide to make my slpad.conf but when i what to populta my data base i have error in the log i see conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 ADD dn="dc=example,dc=com" Erreur de segmentation i am to debian help me please

1 0

problem searching directory for a certificate
by drewgr 07 Oct '08

07 Oct '08

Folks, I have a Java based application using JNDI to connect with OpenLDAP. One of the functions requires searching the directory for a given certificate. No matter what I try, this will not work with OpenLDAP. I think that either OpenLDAP just is not able to search for binary data, or more likely there is something "special" about the "userCertificate;binary" attribute. I turned on full tracing in the LDAP log, and I see the following when the relevant search is executed. >>> serialNumberAndIssuerPretty: <various "graphics" characters > get_ava: illegal value for attributeType userCertificate end get_filter 0 end get_filter_list end get_filter 0 filter: (&(?=undefined)) => get_ctrls => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" attrs: The "filter: (&(?=undefined))" seems really fishy to me. When I do any other search, the line looks more like "(&(uid=GregD))" From the application side, it appears that the request succeeded, but it returns nothing. I know the certificate exists in the directory, as I can search on an ordinary attribute like uid and then get the userCertificate;binary attribute from the result. The data returned is a valid certificate. I have watched the packet stream back and forth, and the query is getting transmitted to the slapd correctly, but no matches are returned. Setting com.sun.jndi.ldap.trace.ber to System.out in the application gives trace data which indicates the same thing. To further validate my suspicions that this is an OpenLDAP issue, I set up a Sun Directory Server instance on the same server, and I am able to perform the search against that software. I've also started looking around the OpenLDAP source code, but so far have not found the smoking gun. Can anyone shed some light on this for me? The OS is CentOS 5.2, latest patches. The OpenLdap version is 2.3.27-8 as reported by rpm. Thanks Greg

2 1

Re: AW: StartTLS is not working
by Dat Duong 07 Oct '08

07 Oct '08

Hi Hauke, I still can't get TLS to work. Here is the error message. TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11) Thanks ----- Original Message ---- From: Hauke Coltzau <hauke.coltzau(a)FernUni-Hagen.de> To: Dat Duong <datduong2000(a)yahoo.com> Cc: openldap-technical <openldap-technical(a)openldap.org> Sent: Tuesday, October 7, 2008 1:25:37 AM Subject: AW: StartTLS is not working Hi Dat, first of all: Please send your questions to the list so that other users with the same problem can find the solution, too. To your problem: Please make sure that you have a correct value for your ServerCA's private key in your openssl.cnf. It should read something like this: [ ServerCA ] # Where is the base directory for the ServerCA dir = /usr/lib/ssl/ServerCA # Where is the ServerCA's certificate certificate = $dir/ServerCA.cert.pem # and where is the ServerCA's private key private_key = $dir/private/ServerCA.key.pem Without the private key, the ServerCA will not be able to sign your LDAP certificate. You will find more configuration hints for openssl.cnf in the tutorial. Hope this helps, Hauke -- ----- Ursprüngliche Mail ----- Von: "Dat Duong" <datduong2000(a)yahoo.com> An: "hauke coltzau" <hauke.coltzau(a)FernUni-Hagen.de> Gesendet: Dienstag, 7. Oktober 2008 09:06:07 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: StartTLS is not working Hi Hauke, I read your instruction on how to create Root CA ...I have a hard time understanding the step. I have a question on how to sign the ldap server certificated using Server CA? I get an error message: bash-3.00# openssl ca -name ServerCA -in afldap01.req.pem -out afldap01.cert.pem Using configuration from /usr/local/ssl/openssl.cnf variable lookup failed for ServerCA::private_key 18908:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=ServerCA name=private_key Thanks Dat -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------

2 1

LVM snapshot as a backup method
by Pavlos Parissis 07 Oct '08

07 Oct '08

Hi, Has anyone used LVM snapshot as a backup method when downtime isn't allowed and slapcat takes hours to finish? I have to find a way to backup the LDAP without bring it down or set it in ReadOnly mode, thus I thought about the LVM snapshot. I can run LVM snapshot every day and then run db_recover -c for making the snapshot LDAP DB in a good state. Am I missing something in the above idea? Cheers, Pavlos

2 3

RE: JDBC-LDAP Bridge Driver and Tomcat Connection Pooling
by Hu, William 07 Oct '08

07 Oct '08

I got the following when try to use connection pooling from Tomcat. There maybe an issue with auto commit, read only and transaction isolation settings. Does your driver use these settings? Or are they not implemented? Thanks in advance com.jaspersoft.jasperserver.api.JSException: jsexception.error.creating.connection com.jaspersoft.jasperserver.api.JSException: jsexception.error.creating.connection at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.createConnection(JdbcDataSourceService.java:61) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.BaseJdbcDa taSource.setReportParameterValues(BaseJdbcDataSource.java:52) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.setReportParameterValues(JdbcDataSourceService.java:66) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.fillReport(EngineServiceImpl.java:633) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.fillReport(EngineServiceImpl.java:333) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.executeReport(EngineServiceImpl.java:765) at com.jaspersoft.jasperserver.api.engine.jasperreports.domain.impl.ReportUnitR equest.execute(ReportUnitRequest.java:60) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.execute(EngineServiceImpl.java:265) at com.jaspersoft.jasperserver.war.action.ViewReportAction.executeReport(ViewRe portAction.java:329) at com.jaspersoft.jasperserver.war.action.ViewReportAction.verifyData(ViewRepor tAction.java:222) at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.webflow.util.DispatchMethodInvoker.invoke(DispatchMethod Invoker.java:103) at org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java:13 6) at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.jav a:203) at org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.j ava:142) at org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.jav a:61) at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:180) at org.springframework.webflow.engine.State.enter(State.java:200) at org.springframework.webflow.engine.Transition.execute(Transition.java:229) at org.springframework.webflow.engine.TransitionableState.onEvent(Transitionabl eState.java:112) at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) at org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEven t(RequestControlContextImpl.java:207) at org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(FlowEx ecutionImpl.java:214) at org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImp l.java:238) at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopU tils.java:281) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint (ReflectiveMethodInvocation.java:187) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflect iveMethodInvocation.java:154) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.inv oke(MethodSecurityInterceptor.java:66) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflect iveMethodInvocation.java:176) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopPro xy.java:210) at $Proxy13.resume(Unknown Source) at org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRe quest(FlowRequestHandler.java:115) at org.springframework.webflow.executor.mvc.FlowController.handleRequestInterna l(FlowController.java:170) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abstrac tController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(Si mpleControllerHandlerAdapter.java:45) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServl et.java:820) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServle t.java:755) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkSer vlet.java:396) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java :350) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at com.jaspersoft.jasperserver.war.common.UploadMultipartFilter.doFilter(Upload MultipartFilter.java:86) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:264) at org.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter(SwitchUs erProcessingFilter.java:335) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecur ityInterceptor.java:107) at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSec urityInterceptor.java:72) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslatio nFilter.java:110) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(Ano nymousProcessingFilter.java:125) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.api.metadata.user.service.impl.MetadataAuthentic ationProcessingFilter.doFilter(MetadataAuthenticationProcessingFilter.java:1 41) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.util.RequestParameterAuthenticationFilter.do Filter(RequestParameterAuthenticationFilter.java:97) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessin gFilter.java:181) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.UserPreferencesFilter.doFilter(UserPreferenc esFilter.java:165) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFil ter.java:217) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.UserPreferencesFilter.doFilter(UserPreferenc esFilter.java:165) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpS essionContextIntegrationFilter.java:191) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:90) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at com.jaspersoft.jasperserver.war.util.CharacterEncodingFilter.doFilter(Charac terEncodingFilter.java:70) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilt erProxy.java:138) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC onnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav a:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo rkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:684) at java.lang.Thread.run(Thread.java:595) Caused by: org.apache.commons.dbcp.SQLNestedException: Cannot get a connection, pool exhausted at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:103) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.createConnection(JdbcDataSourceService.java:58) ... 94 more Caused by: java.util.NoSuchElementException: Could not create a validated object, cause: LDAP Does Not Support Transactions at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPoo l.java:806) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:95) ... 95 more org.apache.commons.dbcp.SQLNestedException: Cannot get a connection, pool exhausted org.apache.commons.dbcp.SQLNestedException: Cannot get a connection, pool exhausted at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:103) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.createConnection(JdbcDataSourceService.java:58) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.BaseJdbcDa taSource.setReportParameterValues(BaseJdbcDataSource.java:52) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.setReportParameterValues(JdbcDataSourceService.java:66) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.fillReport(EngineServiceImpl.java:633) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.fillReport(EngineServiceImpl.java:333) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.executeReport(EngineServiceImpl.java:765) at com.jaspersoft.jasperserver.api.engine.jasperreports.domain.impl.ReportUnitR equest.execute(ReportUnitRequest.java:60) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.execute(EngineServiceImpl.java:265) at com.jaspersoft.jasperserver.war.action.ViewReportAction.executeReport(ViewRe portAction.java:329) at com.jaspersoft.jasperserver.war.action.ViewReportAction.verifyData(ViewRepor tAction.java:222) at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.webflow.util.DispatchMethodInvoker.invoke(DispatchMethod Invoker.java:103) at org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java:13 6) at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.jav a:203) at org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.j ava:142) at org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.jav a:61) at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:180) at org.springframework.webflow.engine.State.enter(State.java:200) at org.springframework.webflow.engine.Transition.execute(Transition.java:229) at org.springframework.webflow.engine.TransitionableState.onEvent(Transitionabl eState.java:112) at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) at org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEven t(RequestControlContextImpl.java:207) at org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(FlowEx ecutionImpl.java:214) at org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImp l.java:238) at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopU tils.java:281) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint (ReflectiveMethodInvocation.java:187) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflect iveMethodInvocation.java:154) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.inv oke(MethodSecurityInterceptor.java:66) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflect iveMethodInvocation.java:176) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopPro xy.java:210) at $Proxy13.resume(Unknown Source) at org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRe quest(FlowRequestHandler.java:115) at org.springframework.webflow.executor.mvc.FlowController.handleRequestInterna l(FlowController.java:170) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abstrac tController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(Si mpleControllerHandlerAdapter.java:45) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServl et.java:820) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServle t.java:755) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkSer vlet.java:396) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java :350) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at com.jaspersoft.jasperserver.war.common.UploadMultipartFilter.doFilter(Upload MultipartFilter.java:86) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:264) at org.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter(SwitchUs erProcessingFilter.java:335) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecur ityInterceptor.java:107) at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSec urityInterceptor.java:72) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslatio nFilter.java:110) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(Ano nymousProcessingFilter.java:125) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.api.metadata.user.service.impl.MetadataAuthentic ationProcessingFilter.doFilter(MetadataAuthenticationProcessingFilter.java:1 41) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.util.RequestParameterAuthenticationFilter.do Filter(RequestParameterAuthenticationFilter.java:97) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessin gFilter.java:181) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.UserPreferencesFilter.doFilter(UserPreferenc esFilter.java:165) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFil ter.java:217) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.UserPreferencesFilter.doFilter(UserPreferenc esFilter.java:165) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpS essionContextIntegrationFilter.java:191) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:90) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at com.jaspersoft.jasperserver.war.util.CharacterEncodingFilter.doFilter(Charac terEncodingFilter.java:70) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilt erProxy.java:138) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC onnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav a:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo rkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:684) at java.lang.Thread.run(Thread.java:595) Caused by: java.util.NoSuchElementException: Could not create a validated object, cause: LDAP Does Not Support Transactions at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPoo l.java:806) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:95) ... 95 more java.util.NoSuchElementException: Could not create a validated object, cause: LDAP Does Not Support Transactions java.util.NoSuchElementException: Could not create a validated object, cause: LDAP Does Not Support Transactions at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPoo l.java:806) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.ja va:95) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.createConnection(JdbcDataSourceService.java:58) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.BaseJdbcDa taSource.setReportParameterValues(BaseJdbcDataSource.java:52) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.JdbcDataSo urceService.setReportParameterValues(JdbcDataSourceService.java:66) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.fillReport(EngineServiceImpl.java:633) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.fillReport(EngineServiceImpl.java:333) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.executeReport(EngineServiceImpl.java:765) at com.jaspersoft.jasperserver.api.engine.jasperreports.domain.impl.ReportUnitR equest.execute(ReportUnitRequest.java:60) at com.jaspersoft.jasperserver.api.engine.jasperreports.service.impl.EngineServ iceImpl.execute(EngineServiceImpl.java:265) at com.jaspersoft.jasperserver.war.action.ViewReportAction.executeReport(ViewRe portAction.java:329) at com.jaspersoft.jasperserver.war.action.ViewReportAction.verifyData(ViewRepor tAction.java:222) at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.webflow.util.DispatchMethodInvoker.invoke(DispatchMethod Invoker.java:103) at org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java:13 6) at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.jav a:203) at org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.j ava:142) at org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.jav a:61) at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:180) at org.springframework.webflow.engine.State.enter(State.java:200) at org.springframework.webflow.engine.Transition.execute(Transition.java:229) at org.springframework.webflow.engine.TransitionableState.onEvent(Transitionabl eState.java:112) at org.springframework.webflow.engine.Flow.onEvent(Flow.java:572) at org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEven t(RequestControlContextImpl.java:207) at org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(FlowEx ecutionImpl.java:214) at org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImp l.java:238) at sun.reflect.GeneratedMethodAccessor211.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopU tils.java:281) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint (ReflectiveMethodInvocation.java:187) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflect iveMethodInvocation.java:154) at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.inv oke(MethodSecurityInterceptor.java:66) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflect iveMethodInvocation.java:176) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopPro xy.java:210) at $Proxy13.resume(Unknown Source) at org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRe quest(FlowRequestHandler.java:115) at org.springframework.webflow.executor.mvc.FlowController.handleRequestInterna l(FlowController.java:170) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abstrac tController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(Si mpleControllerHandlerAdapter.java:45) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServl et.java:820) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServle t.java:755) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkSer vlet.java:396) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java :350) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at com.jaspersoft.jasperserver.war.common.UploadMultipartFilter.doFilter(Upload MultipartFilter.java:86) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:264) at org.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter(SwitchUs erProcessingFilter.java:335) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecur ityInterceptor.java:107) at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSec urityInterceptor.java:72) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslatio nFilter.java:110) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(Ano nymousProcessingFilter.java:125) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.api.metadata.user.service.impl.MetadataAuthentic ationProcessingFilter.doFilter(MetadataAuthenticationProcessingFilter.java:1 41) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.util.RequestParameterAuthenticationFilter.do Filter(RequestParameterAuthenticationFilter.java:97) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessin gFilter.java:181) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.UserPreferencesFilter.doFilter(UserPreferenc esFilter.java:165) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFil ter.java:217) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at com.jaspersoft.jasperserver.war.UserPreferencesFilter.doFilter(UserPreferenc esFilter.java:165) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpS essionContextIntegrationFilter.java:191) at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterCh ainProxy.java:274) at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148) at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:90) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at com.jaspersoft.jasperserver.war.util.CharacterEncodingFilter.doFilter(Charac terEncodingFilter.java:70) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilt erProxy.java:138) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC onnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav a:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo rkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:684) at java.lang.Thread.run(Thread.java:595)

1 0

question regarding ACLs
by Kick, Claus 07 Oct '08

07 Oct '08

Hello all, Since there is some time, I figured I rectify our openldap configuration and use proper ACLs. We are using the following version on Solaris 10: [xxxx:/opt/csw/libexec]$ ./slapd -V @(#) $OpenLDAP: slapd 2.3.39 (Feb 22 2008 18:51:52) $ asmoore@ra Our user subtree is organized as shown below: o=suffix ou=people,o=suffix uid=kdz,ou=people,o=suffix uid=hyc,ou=people,o=suffix ou=removed_accounts,ou=people,o=suffix uid=abcd,ou=removed_accounts,ou=people,o=suffix uid=efgh,ou=removed_accounts,ou=people,o=suffix Basically, I want a getent passwd not to list entries below ou=removed_accounts,ou=people,o=suffix, for a client application still considers the removed accounts as users (it probably searches the whole subtree). I read the documentation for 2.3: http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control <http://www.openldap.org/doc/admin23/slapdconfig.html> And found this: The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN). So, I figured that an ACL (no global ACLs any longer) like this access to dn.one="ou=People,o=suffix" by * write Should hide the removed accounts and only show the active ones. But it does not, it still contains all the children of ou=removed_accounts,ou=people,o=suffix And of ou=people,o=suffix Using dn.base="ou=People,o=suffix" by * write Works as expected and getent passwd not return any ldap users, solely the /etc/passwd users. The client system in question is a Solaris 10 machine, I have kept the client configuration unchanged for the tests so far: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 127.0.0.1 NS_LDAP_SEARCH_BASEDN= o=suffix NS_LDAP_SEARCH_TIME= 90 NS_LDAP_CACHETTL= 0 There are only two other ACLs in place: 1. access to dn.one="ou=Group,o=siemensmedical.com" by * write This one works fine, getent group returns all the groups it should return and the changes can be done as well. 2. access to dn.subtree="ou=Roles,o=siemensmedical.com" by * write This one works fine as well, it returns the role structure as requested and changes work as well. Where am I making a mistake? Best regards, Claus

2 3

openLDAP TLS APIs usage issue
by dhiraj.prasad＠tcs.com 07 Oct '08

07 Oct '08

Hello, I have configured LDAP server on linux with TLS support and was able to fetch data from it using the ldapsearch utility. However, when i tried to do this searching via code i got following errors: Error at Server Side: slap_listener_activate(10): >>> slap_listener(ldaps://) connection_get(15): got connid=47 connection_read(15): checking for input on id=47 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(15): got connid=47 connection_read(15): checking for input on id=47 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 connection_read(15): TLS accept failure error=-1 id=47, closing connection_closing: readying conn=47 sd=15 for close connection_close: conn=47 sd=15 Error at Client side: [root@localhost LDAP1]# ./ldapSearch ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost.localdomain:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad(a)tcs.com, issuer: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad(a)tcs.com TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error in ldap_start_tls_s -1:Can't contact LDAP serverTest..1 ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request Test..2: -1 ldap_err2string Failure of LDAP bind -1-Can't contact LDAP server [root@localhost LDAP1]# Snippet of client code for TLS support used by Me: ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "/root/cacert.pem"); ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, "/usr/local/etc/openldap/ldap.client.pem"); ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, "/usr/local/etc/openldap/ldap.client.key.pem"); ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val); status = ldap_start_tls_s(ld, NULL, NULL); Please let me know as to what is missing in my code that is triggering the above errors. Also if there are any sample TLS client code, please let me know where can i get it. Thanks, Dhiraj Kumar Prasad Tata Consultancy Services Mailto: dhiraj.prasad(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

1 0

loglevel and logfile
by Ashraf Mohamed 07 Oct '08

07 Oct '08

hi, I am trying to turn on debugging for slapd and direct the debug output to a specific file on OpenLDAP 2.4.11 on linux without using syslog. I tried using slapd.conf; configured logfile and loglevel. And the only way I could get it working is by passing in the -d option to slapd. It does not seem to use the loglevel/logfile values if I don't pass in the -d option. I also tried using slapd.d. I am able to set olcLogLevel but I can't set olcLogFile. It won't even let me add it to the config. Ideas? Thanks much. Ashraf

2 1

AW: StartTLS is not working
by Hauke Coltzau 07 Oct '08

07 Oct '08

Hi Dat, first of all: Please send your questions to the list so that other users with the same problem can find the solution, too. To your problem: Please make sure that you have a correct value for your ServerCA's private key in your openssl.cnf. It should read something like this: [ ServerCA ] # Where is the base directory for the ServerCA dir = /usr/lib/ssl/ServerCA # Where is the ServerCA's certificate certificate = $dir/ServerCA.cert.pem # and where is the ServerCA's private key private_key = $dir/private/ServerCA.key.pem Without the private key, the ServerCA will not be able to sign your LDAP certificate. You will find more configuration hints for openssl.cnf in the tutorial. Hope this helps, Hauke -- ----- Ursprüngliche Mail ----- Von: "Dat Duong" <datduong2000(a)yahoo.com> An: "hauke coltzau" <hauke.coltzau(a)FernUni-Hagen.de> Gesendet: Dienstag, 7. Oktober 2008 09:06:07 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: StartTLS is not working Hi Hauke, I read your instruction on how to create Root CA ...I have a hard time understanding the step. I have a question on how to sign the ldap server certificated using Server CA? I get an error message: bash-3.00# openssl ca -name ServerCA -in afldap01.req.pem -out afldap01.cert.pem Using configuration from /usr/local/ssl/openssl.cnf variable lookup failed for ServerCA::private_key 18908:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=ServerCA name=private_key Thanks Dat -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical