[Building Sakai] WebDAV and LDAP configuration

Sanghyun Jeon euksa99 at gmail.com
Tue Nov 4 13:26:58 PST 2014 

Only one school's LDAP  (among 7 different schools) has been having an
issue to connect webdav in the same Sakai instance after we upgraded Sakai
2.9.3 from Sakai 2.8.X this summer.

We've done some research on this and also posted a question on Sakai dev
list. But didn't get any replies and still no solution.

Below is some of the debug output from the problem LDAP server during the
connections from our development instance. The connection seems to be
successfully established and after that no further communication. Looks
like java abandoned an apparently successful connection. We check the match
between Sakai's SSL and LDAP's cert and they are fine. Sakai tomcat log
showed almost the same result. The successful connection is established and
that [DEBUG] org.sakaiproject.user.impl.AuthenticationCache:88 -
getAuthentication SSJ: replaying authentication failure for
authenticationId=XXXXX  when the user entered the right pwd and user id.

  I hope somebody can shed some light on this issue: why Java abandons the
successful connection for this LDAP only.

132  >>> slap_listener(ldaps:///)

   133  conn=2 fd=14 ACCEPT from IP=XXX.XXX.XX.36:51356(IP=0.0.0.0:636)  <---
sakai dev instance

   134  TLS trace: SSL_accept:before/accept initialization

   135  TLS trace: SSL_accept:SSLv3 read client hello A

   136  TLS trace: SSL_accept:SSLv3 write server hello A

   137  TLS trace: SSL_accept:SSLv3 write certificate A

   138  TLS trace: SSL_accept:SSLv3 write server done A

   139  TLS trace: SSL_accept:SSLv3 flush data

   140  TLS trace: SSL_accept:error in SSLv3 read client certificate A

   141  TLS trace: SSL_accept:error in SSLv3 read client certificate A

   142  TLS trace: SSL_accept:SSLv3 read client key exchange A

   143  TLS trace: SSL_accept:error in SSLv3 read certificate verify A

   144  TLS trace: SSL_accept:SSLv3 read finished A

   145  TLS trace: SSL_accept:SSLv3 write change cipher spec A

   146  TLS trace: SSL_accept:SSLv3 write finished A

   147  TLS trace: SSL_accept:SSLv3 flush data

   148  conn=2 fd=14 TLS established tls_ssf=128 ssf=128 <----- SSL
established. The last we hear from sakai dev instance



   149  >>> slap_listener(ldaps:///)<----- Different connection begins
here. No further from "conn=2 fd=14"

   150  conn=3 fd=15 ACCEPT from IP=YYY.YYY.YYY.246:51353 (IP=0.0.0.0:636)

   [...]







   272  >>> slap_listener(ldaps:///)

   273  conn=4 fd=17 ACCEPT from IP=YYY.YYY.YYY.246:51356 (IP=0.0.0.0:636)
  <--- CAS auth box

   274  TLS trace: SSL_accept:before/accept initialization

   275  TLS trace: SSL_accept:SSLv3 read client hello A

   276  TLS trace: SSL_accept:SSLv3 write server hello A

   277  TLS trace: SSL_accept:SSLv3 write certificate A

   278  TLS trace: SSL_accept:SSLv3 write server done A

   279  TLS trace: SSL_accept:SSLv3 flush data

   280  TLS trace: SSL_accept:error in SSLv3 read client certificate A

   281  TLS trace: SSL_accept:error in SSLv3 read client certificate A

   282  TLS trace: SSL_accept:SSLv3 read client key exchange A

   283  TLS trace: SSL_accept:SSLv3 read finished A

   284  TLS trace: SSL_accept:SSLv3 write change cipher spec A

   285  TLS trace: SSL_accept:SSLv3 write finished A

   286  TLS trace: SSL_accept:SSLv3 flush data

   287  conn=4 fd=17 TLS established tls_ssf=256 ssf=256 <----- After SSL
established, communication ensues

   288  ber_get_next

   289  ldap_read: want=8, got=8

   290  ldap_read: want=55, got=55

   291  ber_get_next: tag 0x30 len 61 contents:

   292  ber_dump: buf=0x098b6c18 ptr=0x098b6c18 end=0x098b6c55 len=61

   293  ber_get_next

   294  ldap_read: want=8 error=Resource temporarily unavailable  <--- Just
reporting non-blocking I/O

   295  do_bind

   [...]







  6449  TLS trace: SSL3 alert write:warning:close notify

  6450  conn=2 fd=14 closed (slapd shutdown)<----- LDAP server finally
closes the abandoned connection during shutdown

  6451  TLS trace: SSL3 alert write:warning:close notify

  6452  conn=3 fd=15 closed (slapd shutdown)

  6453  TLS trace: SSL3 alert write:warning:close notify

  6454  conn=5 fd=17 closed (slapd shutdown)

  6455  TLS trace: SSL3 alert write:warning:close notify

  6456  conn=7 fd=21 closed (slapd shutdown)

  6457  slapd shutdown: waiting for 0 threads to terminate

  6458  slapd shutdown: initiated

  6459  ====> bdb_cache_release_all

  6460  slapd destroy: freeing system resources.

  6461  slapd stopped.





On Fri, Aug 22, 2014 at 4:41 PM, Sanghyun Jeon <euksa99 at gmail.com> wrote:

> Hello All,
>
> It turns out that only certain user group who needs to be authenticated
> with LDAP #A is having difficulty to connect WebDAV.
> Previously, tomcat log showed unknown cert error as follows:
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> so we renew the LDAP cert and tomcat no longer shows the cert error. All
> ports are open from both ends. However, if this user group tries to login
> via WebDAV, they are still getting an error message: "There was a problem
> connecting to the server 'sakai.ourCollege.edu'. Contact your system
> administrator for more information".
>
> I hope somebody can point me in the right direction to resolve this issue.
>
> Thank you.
>
>
>
>
> On Tue, Aug 19, 2014 at 8:12 AM, Sanghyun Jeon <euksa99 at gmail.com> wrote:
>
>> Hello All,
>>
>> After Sakai2.9.3 upgrade, we are experiencing WebDAV connection issue
>> from one of app servers. We confirm that there is no firewall issue from
>> both ends. We have three clustered Sakai app nodes behind one apache server
>> as a load balancer. LDAP is used to authenticate WebDAV users, while CAS is
>> for login.
>> I did not configure the current systems so that I would like to revisit
>> the WebDAV connection with Sakai  in order to resolve this issue. However,
>> I cannnot find some useful documentations and I am wondering whether some
>> experienced experts guide me where I can find them or where I need to start
>> to check.
>> Thank you in advance.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20141104/824b9646/attachment.html

More information about the sakai-dev mailing list