Hi,
We are trying to work with LDAP Readers/Writers in Clover ETL. We have a graph running on our server that reads and writes to an LDAP. We would like to be able to develop and test LDAP access from CloverETL Designer on a local workspace. I can connect my local project to a database. Can I do the same for an LDAP?? On the server we have defined Config Properties like below which, as I mentioned, have values that are working on the server.
Where would I put these to make them work with our CloverETL Designer project?? I have placed them in the workspace.prm file with the same name value pairs that work on the server but I am still getting errors like :
Error: simple bind failed: dc1.xxx.yyy:636
Is it some type of ssl handshake problem?
Do I need to import a certificate or some such thing from the LDAP server? Or do I need to install a specific plugin to work with LDAP?
Remember, it is working on the Server. I am trying to make it work in CloverETL Designer with a project on my workspace.
I have parameters in workspace.prm file and password directly in graph. I am able to access our test LDAP but I can’t get to our production LDAP. I know I’m using correct credentials and url because I can access outside of clover. I tried a number of things, like adding the port to the url. I tried with and without a s in the url (ldaps\:). I suspect the problem has to do with SSL but I’m not sure what else to try.
But it didn’t help the situation. I am still getting an error.
INFO [main] - Checking graph configuration…
ERROR [main] - Graph configuration is invalid.
ERROR [main] - [LDAPReader:LDAP_READER0] - LDAP connection failed.
ERROR [main] - Error during graph initialization !
Element [1314360472591:DFTestLDAP]-Graph configuration is invalid.
at org.jetel.graph.runtime.EngineInitializer.initGraph(EngineInitializer.java:166)
at org.jetel.graph.runtime.EngineInitializer.initGraph(EngineInitializer.java:147)
at org.jetel.main.runGraph.runGraph(runGraph.java:364)
at org.jetel.main.runGraph.main(runGraph.java:328)
Hello,
we would need to get more info about the reason of failing. Is this the only information in the log? Even when changing the log level into ALL? You can also try to run the graph without checking the configuration: Run Configurations .png
Then CloverETL would be more “talkative” and print out the full stack trace.
If it doesn’t bring any additional information, you can try to use DBInputTable with JDBC->LDAP Bridge instead of LDAPReader.
Thanks. I changed Log Level and have more info in the stack trace.
Caused by: javax.naming.CommunicationException: simple bind failed: dc1.delhi.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
at com.linagora.ldap.LdapManager.openContext(LdapManager.java:177)
at com.linagora.ldap.LdapParser.init(LdapParser.java:153)
… 7 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at com.sun.jndi.ldap.Connection.run(Connection.java:807)
at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
… 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
… 18 more
Hello,
this error means, that the required certificate is still missing in your key store. To see all the examined certificates set -Djavax.net.debug=all variable, when running the graph: Run Configurations .png
Please try once more following steps:
Obtain the server’s public key:
The public/private key pair will live somewhere on the server. The public key should be located and copied to your computer. For example:
scp root@dc1.xxx.yyy:/etc/ssl/certs/imapd.pem .
If you have openssl installed locally, the key can be retrieved with a command like:
Thanks. I found my mistake. I knew I was supposed to be working in the \CloverETL Designer\
path but for some dumb reason, I was in my Java path when I did the import the first time. I have imported to the correct cacert file and it is working now. Thanks for all your help and patience.
Agata, I’m facing another problem related to ldap. I am back on my test system and trying to run a test that does an actual update to the ldap (active directory). I imported the certificate from the ldap into the cacerts file used by clover etl designer on my client machine (windows 7). I have a very simple graph setup to run this test. The error I’m getting looks like this:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
Any ideas what the problem might be? I have been looking at various forums for a fix but I’m not finding anything very useful.
err 0000052D
# for hex 0x52d / decimal 1325 :
ERROR_PASSWORD_RESTRICTION winerror.h
# Unable to update the password. The value provided for the
# new password does not meet the length, complexity, or
# history requirement of the domain.
# 1 matches found for “0000052D”
Strange because I am not trying to update a password. I’m trying to replace the value in userAccountControl attribute to enable a user.