AnsweredAssumed Answered

HCS 8 - authentication /authorisation to AD using TLS

Question asked by Steve Franks on Mar 3, 2016
Latest reply on May 31, 2016 by Virgilio Sabas

Hi all,

 

I am v stale on HCS so pls forgive any stupidities that follow.  I am also not much wrt AD.

 

I have configured HCS to authenticate AD users and to allocate authorisation/roles based on existing AD groups.  I use a service account for this purpose and all seems fine.

 

I want to add TLS as basic LDAP is not secure.  I am having trouble with phase 3.

 

A redacted excerpt of my exauth file :

auth.server.type=ldap

auth.server.name=globdcs01.ad.fake.alsofake.com.au

auth.group.mapping=true

#auth.ocsp.enable=false

#auth.ocsp.responderURL=

auth.ldap.globdcs01.ad.fake.alsofake.com.au.protocol=tls

auth.ldap.globdcs01.ad.fake.alsofake.com.au.host=globca01.ad.fake.alsofake.com.au .

auth.ldap.globdcs01.ad.fake.alsofake.com.au.port=636

auth.ldap.globdcs01.ad.fake.alsofake.com.au.timeout=15

auth.ldap.globdcs01.ad.fake.alsofake.com.au.attr=sAMAccountName

auth.ldap.globdcs01.ad.fake.alsofake.com.au.basedn=OU=Administrative,OU=Enterprise Services,DC=ad,DC=fake,DC=alsofake,DC=com,DC=au

auth.ldap.globdcs01.ad.fake.alsofake.com.au.retry.interval=1

auth.ldap.globdcs01.ad.fake.alsofake.com.au.retry.times=20

auth.ldap.globdcs01.ad.fake.alsofake.com.au.domain.name=ad.fake.alsofake.com.au

auth.ldap.globdcs01.ad.fake.alsofake.com.au.dns_lookup=true

# NO ENTRIES BEYOND THIS POINT ARE IN USE

 

Assuming for the moment that these entries are more or less correct, do I need to use any of the other config items later in the exauth file or are they all part of the configuration for RADIUS/Kerb?  A number of the later items follow on from RADIUS/Kerb references but are not clearly identified as belonging with them.  The few examples I have culled for LDAP config in this file do *not* reference them but clearly, my config is not working.

 

I asked my AD admins for a cert to use with the hcmds64keytool command.  No problems adding it to the keystore BUT :

I was given a root cert from a CA server.  DO I need a different type of certificate - in addition to the root cert?  My reading suggests possibly yes. 

 

HDS docco says that the CN in the cert should match the exauth entry for auth.ldap.globdcs01.ad.fake.alsofake.com.au.host.

As you can see above, the cert CN is "globca01" (which is correct : it *is* the CA) and it *does* match the certificate itself but that name is not the same name as the AD server, which you can see is globdcs01.  This difference is what prompted me to speculate about the need for another type of cert, one signed by globca01 but naming globdcs01.  FOr exauth, must the CN in the cert be the same as the AD server?

 

Unfortunately I have encountered several different results.  The last one was using the config above.  Hcmds64checkauth produces this :

 

KAPM15010-I The connection to the server globdcs01.ad.fake.alsofake.com.au will now be checked. (host = globca01.ad.fake.alsofake.com.au, port = 636, protocol = tls

)

KAPM15013-E A connection error occurred.

KAPM15084-E LDAP directory server error is detected. (information = java.net.ConnectException)

KAPM15005-E The result of the configuration check of Phase3 was abnormal.

KAPM15246-E A connection attempt has failed. (server name = globdcs01.ad.fake.fake.com.au)

 

The log file :

HcmdsGroupConnecter#printStartPhase The configuration check of Phase3 will now start.

Hcmds64checkauth 2B343831 383BDCBC KAPM15010-I           HcmdsGroupConnecter#printStartAuth The connection to the server globdcs01.ad.fake.alsofake.com.au will now be checked. (host = globca01.ad.fake.alsofake.com.au, port = 636, protocol = tls)

Hcmds64checkauth 2B343831 383BDCBC KAPM15013-E      EC   HcmdsGroupConnecter#printErrorMsg A connection error occurred.

Hcmds64checkauth 2B343831 383BDCBC KAPM15084-E      EC   HcmdsGroupConnecter#printErrorMsg LDAP directory server error is detected. (information = java.net.ConnectException)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog com.hitachi.truenorth.HiCommand.Base.User.HcmdsExAuthCommunicationException: Communication with an external authentication server has failed. (host = globca01.ad.esbu.nttict.com.au, port = 636, protocol = tls)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.hitachi.truenorth.HiCommand.Base.User.LdapBind.bindSearchUser(LdapBind.java:581)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.hitachi.truenorth.HiCommand.Base.User.LdapBind.execute(LdapBind.java:382)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.hitachi.truenorth.HiCommand.Base.User.LdapContextThread.run(LdapContextThread.java:35)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog Caused by: javax.naming.CommunicationException: globca01.ad.esbu.nttict.com.au:636 [Root exception is java.net.ConnectException: Connection refused: connect  [errno=10061, syscall=getsockopt]]

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at javax.naming.InitialContext.init(InitialContext.java:242)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.hitachi.truenorth.HiCommand.Base.User.LdapBind.bindAuthentication(LdapBind.java:658)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.hitachi.truenorth.HiCommand.Base.User.LdapBind.bindSearchUser(LdapBind.java:568)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     ... 2 more

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog Caused by: java.net.ConnectException: Connection refused: connect  [errno=10061, syscall=getsockopt]

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.net.Socket.connect(Socket.java:579)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at java.lang.reflect.Method.invoke(Method.java:606)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.Connection.createSocket(Connection.java:355)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)

Hcmds64checkauth 2B343831 383BDCBC KAPM49001-E      EC   HcmdsGroupConnecter#outErrlog     ... 16 more

Hcmds64checkauth 2B343831 383BDCBC KAPM15005-E      EC   HcmdsGroupConnecter#ResultPhase The result of the configuration check of Phase3 was abnormal.

Hcmds64checkauth 2B343831 383BDCBC KAPM15246-E      EC   HcmdsGroupConnecter#resultPrintCore A connection attempt has failed. (server name = globdcs01.ad.esbu.nttict.com.au)

Hcmds64checkauth 2B343831 383BDCBC KAPM15015-I           Hcmdscheckauth#main The command hcmds64checkauth will now finish.

 

Without using TLS, the same user can complete hcmds64checkauth and HCS GUI itself lets people log in.

 

Thanks for any clarification.

Outcomes