LDAP connection failed - Error: simple bind failed

Hi,
We are trying to work with LDAP Readers/Writers in Clover ETL. We have a graph running on our server that reads and writes to an LDAP. We would like to be able to develop and test LDAP access from CloverETL Designer on a local workspace. I can connect my local project to a database. Can I do the same for an LDAP?? On the server we have defined Config Properties like below which, as I mentioned, have values that are working on the server.

ACTIVE_DIRECTORY_BASE_DN
ACTIVE_DIRECTORY_USER
ACTIVE_DIRECTORY_URL =ldaps://dc1.xxxi.yyy/
ACTIVE_DIRECTORY_PW

Where would I put these to make them work with our CloverETL Designer project?? I have placed them in the workspace.prm file with the same name value pairs that work on the server but I am still getting errors like :
Error: simple bind failed: dc1.xxx.yyy:636

Is it some type of ssl handshake problem?

Do I need to import a certificate or some such thing from the LDAP server? Or do I need to install a specific plugin to work with LDAP?
Remember, it is working on the Server. I am trying to make it work in CloverETL Designer with a project on my workspace.

Thanks in advance for any help

pro7

Hello Pro7,
it should work. You can define the parameters in workspace.prm file, other file (see attached example project) or directly in the graph.

I have parameters in workspace.prm file and password directly in graph. I am able to access our test LDAP but I can’t get to our production LDAP. I know I’m using correct credentials and url because I can access outside of clover. I tried a number of things, like adding the port to the url. I tried with and without a s in the url (ldaps\:). I suspect the problem has to do with SSL but I’m not sure what else to try.

pro7

Hello,
I believe, that importing the server certificate to the java key store could help. Please see keytool - Key and Certificate Management Tool and nice example on Adding a server’s certificate to Java’s keystore.

Thanks, I got the cert from the ldap server and successfully imported into cacerts file located in

C:\Program Files (x86)\CloverETL Designer\jdk1.6.0_20\jre\lib\security

But it didn’t help the situation. I am still getting an error.

INFO [main] - Checking graph configuration…
ERROR [main] - Graph configuration is invalid.
ERROR [main] - [LDAPReader:LDAP_READER0] - LDAP connection failed.
ERROR [main] - Error during graph initialization !
Element [1314360472591:DFTestLDAP]-Graph configuration is invalid.
at org.jetel.graph.runtime.EngineInitializer.initGraph(EngineInitializer.java:166)
at org.jetel.graph.runtime.EngineInitializer.initGraph(EngineInitializer.java:147)
at org.jetel.main.runGraph.runGraph(runGraph.java:364)
at org.jetel.main.runGraph.main(runGraph.java:328)

pro7

Hello,
we would need to get more info about the reason of failing. Is this the only information in the log? Even when changing the log level into ALL? You can also try to run the graph without checking the configuration:
Run Configurations .png
Then CloverETL would be more “talkative” and print out the full stack trace.
If it doesn’t bring any additional information, you can try to use DBInputTable with JDBC->LDAP Bridge instead of LDAPReader.

Thanks. I changed Log Level and have more info in the stack trace.

Caused by: javax.naming.CommunicationException: simple bind failed: dc1.delhi.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
at com.linagora.ldap.LdapManager.openContext(LdapManager.java:177)
at com.linagora.ldap.LdapParser.init(LdapParser.java:153)
… 7 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at com.sun.jndi.ldap.Connection.run(Connection.java:807)
at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
… 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
… 18 more

Hello,
this error means, that the required certificate is still missing in your key store. To see all the examined certificates set -Djavax.net.debug=all variable, when running the graph:
Run Configurations .png
Please try once more following steps:

  • Obtain the server’s public key:
    The public/private key pair will live somewhere on the server. The public key should be located and copied to your computer. For example:
scp root@dc1.xxx.yyy:/etc/ssl/certs/imapd.pem .  

If you have openssl installed locally, the key can be retrieved with a command like:

openssl s_client -connect dc1.xxx.yyy:636  
CONNECTED(00000003)  
depth=1 /C=CZ/ST=Czech Republic/L=Prague/O=Javlin a.s./OU=admin/CN=javlin.eu/emailAddress=javlin@support.digitwins.com  
.....  
.....  
Server certificate  
-----BEGIN CERTIFICATE-----  
MIICiTCCAfKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJBVTEM  
MAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxEjAQBgNVBAoTCUF0bGFzc2lh  
bjEaMBgGA1UEAxMRY3ZzLmF0bGFzc2lhbi5jb20xITAfBgkqhkiG9w0BCQEWEmlu  
Zm9AYXRsYXNzaWFuLmNvbTAeFw0wNTA5MjMwNjUyNTNaFw0wNjA5MjMwNjUyNTNa  
MH8xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTES  
MBAGA1UEChMJQXRsYXNzaWFuMRowGAYDVQQDExFjdnMuYXRsYXNzaWFuLmNvbTEh  
MB8GCSqGSIb3DQEJARYSaW5mb0BhdGxhc3NpYW4uY29tMIGfMA0GCSqGSIb3DQEB  
AQUAA4GNADCBiQKBgQDhwAgx/gDgKe9tBjUCj7JtVkwQSzj2Dq0PHiJu1AWUYWFW  
ivbBWaWSYbt/w9vIRSL8OlGVOLnlFOH5o7QIpIBZvd3xBMv6DxMijM86/hu8QTPt  
KcMuqBTGpu1T846SzNncj883wSE1hXxezCgEFCsqyC7dVX4l0Ay6zgzkt2wc3QID  
AQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADgYEAJOgg  
O4brCcQa3IgONo8UmLcHo6Rq+Py6ZA3ueUegy/uyQ358JUeL4kktXuYL9gAPCuMc  
hsC1iyaOrWY/S9S67w2ZWqc+uYX9ophFHkxK1r3YiaiMpEzMyB12VWSrOITcR0LV  
7NTWfxfPLUpkDbj+Mw/66QJkI0lqBvcKn3KXI74=  
-----END CERTIFICATE-----  

Cut and paste the certificate (including BEGIN and END lines) into a local file (eg. imapd.pem).

  • Import the public key:
sudo keytool -import -alias dc1.xxx.yyy -keystore $JAVA_HOME/jre/lib/security/cacerts -file imapd.pem  

This will import the public key (imapd.pem) into Java’s default keystore, and marks it as trusted.

Thanks. I found my mistake. I knew I was supposed to be working in the \CloverETL Designer\
path but for some dumb reason, I was in my Java path when I did the import the first time. I have imported to the correct cacert file and it is working now. Thanks for all your help and patience.

pro7

Agata, I’m facing another problem related to ldap. I am back on my test system and trying to run a test that does an actual update to the ldap (active directory). I imported the certificate from the ldap into the cacerts file used by clover etl designer on my client machine (windows 7). I have a very simple graph setup to run this test. The error I’m getting looks like this:

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

Any ideas what the problem might be? I have been looking at various forums for a fix but I’m not finding anything very useful.

Thanks

err 0000052D
# for hex 0x52d / decimal 1325 :
ERROR_PASSWORD_RESTRICTION winerror.h
# Unable to update the password. The value provided for the
# new password does not meet the length, complexity, or
# history requirement of the domain.
# 1 matches found for “0000052D”

Strange because I am not trying to update a password. I’m trying to replace the value in userAccountControl attribute to enable a user.

http://www.eggheadcafe.com/microsoft/Wi … sword.aspx

If the domain pwd policy requires passwords, then you have to set a password before enabling.

I suppose that the current password of the account you are trying to enable does not match the password policy.