I have a web application running on Tomcat 9 and using LDAPS for user Authentication. When I connect via LDAP (non-secure) the authentication is successful but when I switch to LDAPS (Secure) I get "PenLdapLookupModule: Error authenticating during a lookup. Please check the username and password used to log into LDAP" error. Yet am using same username and password unencrypted within the application.
Tomcat configuration (Server.xml)
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldaps://ldapservername:636"
authentication="simple"
connectionName="<username>"
connectionPassword="<password>"
userSearch="(sAMAccountName={0})"
userBase="dc=com"
userSubtree="true"
userRoleName="memberOf"
roleBase="ou=Global Security Groups,ou=Security Groups,ou=Domain Groups,dc=directory,dc=com"
roleSearch="(member={0})"
roleSubtree="true"
roleName="cn"
/>
Application LDAP configs
setconfig ldap.ssl.trustStore.type "JKS"
setconfig ldap.ssl.trustStore.location "ldapsKeystorename.jks"
setconfig ldap.ssl.trustStore.password "<Keystorepassword>"
Logs
ERROR [LookupRefresh] (PenLdapLookupModule) - PenLdapLookupModule: Error authenticating during a lookup. Please check the username and password used to log into LDAP. If encryption is enabled you may need to reset the password (to its plain text value) if the application software has changed. com.paisley.core.FaultException: FAULT -- DETAILS BELOW Error authenticating during a lookup. Please check the username and password used to log into LDAP. If encryption is enabled you may need to reset the password (to its plain text value) if the application software has changed. Thread name: LookupRefresh - 0x2b Occurred on/at: 4/8/21 12:25:01 PM SAST Session Client ID: Group Name: Client ID: com.paisley.foundation.client.ClientID@8e812e86-client001 Module Name: PenLdapLookupModule at com.paisley.rnj.security.lookup.PenLdapLookupModule.lookup(PenLdapLookupModule.java:162) at com.paisley.rnj.security.service.LookupServiceBean.performLookup(LookupServiceBean.java:720) at com.paisley.rnj.security.service.LookupServiceBean.refresh(LookupServiceBean.java:471) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at com.paisley.foundation.reflect.ReflectorToolkit.callMethod(ReflectorToolkit.java:1345) at com.paisley.foundation.database.transaction.ServiceTransactionInjector.callRealServiceMethod(ServiceTransactionInjector.java:336) at com.paisley.foundation.database.transaction.ServiceTransactionInjector.invoke(ServiceTransactionInjector.java:178) at com.sun.proxy.$Proxy38.refresh(Unknown Source) at com.paisley.rnj.security.lookup.work.LookupInitializeWork.execute(LookupInitializeWork.java:86) at com.paisley.rnj.security.lookup.thread.LookupRefreshBackgroundTask.execute(LookupRefreshBackgroundTask.java:94) at com.paisley.foundation.background.BackgroundThread.run(BackgroundThread.java:141)
Best Answer
Apologies I stopped working on this piece for a while. Started again this week
Problem cause: The latest Java Runtime Environment has SSLv3 disabled by default. So my application was making use of SSLv3, which is why it was failing to authenticate on LDAPS. Following the recommended steps below didn't work either
Solution: I had to switch to using the Amazon Corretto 8 JDK, this resolved the problem. I also had to remove the SSLv3 from the "jdk.tls.disabledAlgorithms" in the java.security file.