Uploaded image for project: 'OpenICF'
  1. OpenICF
  2. OPENICF-1053

LDAP Connector: _action=test on wrong certificate pattern should return error

    Details

      Description

      We started to have some instabilities with ssl and hostNameVerification

      	"ssl" : true,
              "hostNameVerification" : true,
              "hostNameVerifierPattern" : "example.incorrectpattern.com",
      

      I would expect to have error on _action=test when pattern didn't passed. Currently we always get ok response

      curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --header "Content-Type: application/json"  --request POST "http://localhost:8080/openidm/system/ldap2?_action=test"
      
      Response Content:
      {"name":"ldap2","enabled":true,"config":"config/provisioner.openicf/ldap2","connectorRef":{"bundleVersion":"1.4.9.0-SNAPSHOT","bundleName":"org.forgerock.openicf.connectors.ldap-connector","connectorName":"org.identityconnectors.ldap.LdapConnector"},"displayName":"LDAP Connector","objectTypes":["__ALL__","account","group"],"ok":true}
      
      Response Status Code: 200
      

      But after while we get error on connector test in log independently (it is not triggered by action=test)

      SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap2/'} failed!
      org.identityconnectors.framework.common.exceptions.ConnectionFailedException: javax.naming.CommunicationException: localhost:1636 [Root exception is javax.net.ssl.SSLHandshakeException: The host name from the server certificate'CN=localhost, O=OpenDJ RSA Self-Signed Certificate' does not match the provided pattern 'example.incorrectpattern.com']
      	at org.identityconnectors.ldap.LdapConnection$AuthenticationResultType$3.propagate(LdapConnection.java:665)
      	at org.identityconnectors.ldap.LdapConnection$AuthenticationResult.propagate(LdapConnection.java:694)
      	at org.identityconnectors.ldap.LdapConnection.connect(LdapConnection.java:260)
      	at org.identityconnectors.ldap.LdapConnection.getInitialContext(LdapConnection.java:245)
      	at org.identityconnectors.ldap.LdapConnection.checkAlive(LdapConnection.java:443)
      	at org.identityconnectors.ldap.LdapConnector.checkAlive(LdapConnector.java:144)
      	at org.identityconnectors.framework.impl.api.local.ConnectorPoolManager$ConnectorPoolHandler.testObject(ConnectorPoolManager.java:186)
      	at org.identityconnectors.framework.impl.api.local.ConnectorPoolManager$ConnectorPoolHandler.testObject(ConnectorPoolManager.java:117)
      	at org.identityconnectors.framework.impl.api.local.ObjectPool.borrowObject(ObjectPool.java:247)
      	at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:93)
      	at com.sun.proxy.$Proxy65.test(Unknown Source)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      	at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
      	at com.sun.proxy.$Proxy65.test(Unknown Source)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      	at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:98)
      	at com.sun.proxy.$Proxy65.test(Unknown Source)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      	at org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl$ReferenceCountingProxy.invoke(LocalConnectorFacadeImpl.java:304)
      	at com.sun.proxy.$Proxy65.test(Unknown Source)
      	at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.test(AbstractConnectorFacade.java:326)
      	at org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.lambda$activate$0(OpenICFProvisionerService.java:283)
      	at org.forgerock.util.promise.PromiseImpl.lambda$thenOnResult$1(PromiseImpl.java:292)
      	at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)
      	at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:536)
      	at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:524)
      	at org.forgerock.util.promise.PromiseImpl.then(PromiseImpl.java:370)
      	at org.forgerock.util.promise.PromiseImpl.then(PromiseImpl.java:361)
      	at org.forgerock.util.promise.PromiseImpl.then(PromiseImpl.java:343)
      	at org.forgerock.util.promise.PromiseImpl.thenOnResult(PromiseImpl.java:290)
      	at org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService.activate(OpenICFProvisionerService.java:241)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:228)
      	at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41)
      	at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:664)
      	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:510)
      	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:317)
      	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
      	at org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:341)
      	at org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:114)
      	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:983)
      	at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:956)
      	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:901)
      	at org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:348)
      	at org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:248)
      	at org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:350)
      	at org.apache.felix.framework.Felix.getService(Felix.java:3954)
      	at org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:450)
      	at org.apache.felix.scr.impl.manager.SingleRefPair.getServiceObject(SingleRefPair.java:73)
      	at org.apache.felix.scr.impl.inject.BindParameters.getServiceObject(BindParameters.java:47)
      	at org.apache.felix.scr.impl.inject.methods.BindMethod.getServiceObject(BindMethod.java:664)
      	at org.apache.felix.scr.impl.manager.DependencyManager.getServiceObject(DependencyManager.java:2308)
      	at org.apache.felix.scr.impl.manager.DependencyManager.doInvokeBindMethod(DependencyManager.java:1805)
      	at org.apache.felix.scr.impl.manager.DependencyManager.invokeBindMethod(DependencyManager.java:1788)
      	at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeBindMethod(SingleComponentManager.java:436)
      	at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:333)
      	at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:302)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1216)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1137)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.trackAdding(ServiceTracker.java:944)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.track(ServiceTracker.java:880)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.serviceChanged(ServiceTracker.java:1168)
      	at org.apache.felix.scr.impl.BundleComponentActivator$ListenerInfo.serviceChanged(BundleComponentActivator.java:125)
      	at org.apache.felix.framework.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:990)
      	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:838)
      	at org.apache.felix.framework.EventDispatcher.fireServiceEvent(EventDispatcher.java:545)
      	at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:4833)
      	at org.apache.felix.framework.Felix.registerService(Felix.java:3804)
      	at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:328)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:906)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:892)
      	at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:959)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:732)
      	at org.apache.felix.scr.impl.manager.DependencyManager$SingleStaticCustomizer.addedService(DependencyManager.java:1053)
      	at org.apache.felix.scr.impl.manager.DependencyManager$SingleStaticCustomizer.addedService(DependencyManager.java:1007)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1216)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1137)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.trackAdding(ServiceTracker.java:944)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.track(ServiceTracker.java:880)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.serviceChanged(ServiceTracker.java:1168)
      	at org.apache.felix.scr.impl.BundleComponentActivator$ListenerInfo.serviceChanged(BundleComponentActivator.java:125)
      	at org.apache.felix.framework.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:990)
      	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:838)
      	at org.apache.felix.framework.EventDispatcher.fireServiceEvent(EventDispatcher.java:545)
      	at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:4833)
      	at org.apache.felix.framework.Felix.registerService(Felix.java:3804)
      	at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:328)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:906)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:892)
      	at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:959)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:732)
      	at org.apache.felix.scr.impl.manager.DependencyManager$SingleDynamicCustomizer.addedService(DependencyManager.java:833)
      	at org.apache.felix.scr.impl.manager.DependencyManager$SingleDynamicCustomizer.addedService(DependencyManager.java:775)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1216)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1137)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.trackAdding(ServiceTracker.java:944)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.track(ServiceTracker.java:880)
      	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.serviceChanged(ServiceTracker.java:1168)
      	at org.apache.felix.scr.impl.BundleComponentActivator$ListenerInfo.serviceChanged(BundleComponentActivator.java:125)
      	at org.apache.felix.framework.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:990)
      	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:838)
      	at org.apache.felix.framework.EventDispatcher.fireServiceEvent(EventDispatcher.java:545)
      	at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:4833)
      	at org.apache.felix.framework.Felix.registerService(Felix.java:3804)
      	at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:328)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:906)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:892)
      	at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:959)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:732)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:666)
      	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:432)
      	at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
      	at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:317)
      	at org.apache.felix.scr.impl.manager.RegionConfigurationSupport$2.configurationEvent(RegionConfigurationSupport.java:119)
      	at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1704)
      	at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1646)
      	at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138)
      	at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
      	at java.base/java.lang.Thread.run(Thread.java:834)
      Caused by: javax.naming.CommunicationException: localhost:1636 [Root exception is javax.net.ssl.SSLHandshakeException: The host name from the server certificate'CN=localhost, O=OpenDJ RSA Self-Signed Certificate' does not match the provided pattern 'example.incorrectpattern.com']
      	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237)
      	at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
      	at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616)
      	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752)
      	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
      	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
      	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
      	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
      	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
      	at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
      	at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
      	at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
      	at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
      	at org.identityconnectors.ldap.LdapConnection.createContext(LdapConnection.java:290)
      	at org.identityconnectors.ldap.LdapConnection.createContext(LdapConnection.java:281)
      	at org.identityconnectors.ldap.LdapConnection.connect(LdapConnection.java:256)
      	... 131 more
      Caused by: javax.net.ssl.SSLHandshakeException: The host name from the server certificate'CN=localhost, O=OpenDJ RSA Self-Signed Certificate' does not match the provided pattern 'example.incorrectpattern.com'
      	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
      	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
      	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
      	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
      	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
      	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
      	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
      	at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348)
      	at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
      	... 146 more
      Caused by: java.security.cert.CertificateException: The host name from the server certificate'CN=localhost, O=OpenDJ RSA Self-Signed Certificate' does not match the provided pattern 'example.incorrectpattern.com'
      	at org.identityconnectors.ldap.ssl.HostNameVerifier.checkPattern(HostNameVerifier.java:100)
      	at org.identityconnectors.ldap.ssl.HostNameVerifier.checkServerTrusted(HostNameVerifier.java:50)
      	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1509)
      	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
      	... 158 more
      

        Attachments

          Activity

            People

            • Assignee:
              emanuel.brici Emanuel Brici
              Reporter:
              michal.orlik@profiq.cz Michal Orlik
              QA Assignee:
              Son Nguyen
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: