Pivotal Knowledge Base

Follow

LDAP User Authentication Fails After Upgrading to Elastic Runtime 1.7.17 or Higher

Environment

 Product  Version
 Pivotal Cloud Foundry  1.7
 Elastic Runtime   1.7.17 or greater

Symptom

When an LDAP user attempts to login via CF CLI, authentication fails with a timeout error. Following is the relevant snippet from the UAA logs :

[2016-09-13 17:01:42.626] uaa - 6656 [http-nio-8080-exec-8] .... DEBUG --- ChainedAuthenticationManager: Chained authentication exception:simple bind failed: xxxxxxx.org:636; nested exception is javax.naming.CommunicationException: simple bind failed: example.com:636 [Root exception is java.net.SocketException: Connection reset] at:org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)

Cause 

The JDK version shipped was updated to v1.8 build101 was updated in the UAA release shipped in ERT version 1.7.17. With this build of the JDK, the LDAP server closes the connection from its end when the client tries to establish an SSL connection. It was observed that the LDAP/Active Directory server does not negotiate a TLS v1.2 connection and immediately closes the session. With ERT 1.7.17+ there is a requirement to use TLSv1.2. If the LDAP/AD server does not support TLS v1.2, then the SSL negotiation will be terminated by the LDAP server as that is the only TLS protocol the client will now accept. With earlier ERT releases, the TLS libraries included in the JDK would fallback and negotiate a TLS v1 connection with the LDAP/AD server instead.  

Resolution

Upgrade Active Directory Server/LDAP server to support TLS v1.2. 

Workaround

As a temporary workaround, update the "catalina_opts" in the UAA section of the ERT manifest file with the following flag:

-Djdk.tls.client.protocols=TLSv1

Updated property in the ERT manifest will look like this:

uaa:

--snip--

catalina_opts: "-Xmx768m -XX:MaxPermSize=256m -Djdk.tls.client.protocols=TLSv1"

--snip--

Save the manifest file and deploy ERT with the updated manifest from Bosh CLI using the following commands:

  • Bosh deployment <path to cf manifest file>
  • Bosh deploy

Additional Information

For additional BOSH reference commands, please refer to the link here

Note that the above setting won't persist if you "Apply Changes" in Ops Manager.

 

Comments

Powered by Zendesk