I am trying to configure LDAP authentication on DHIS2 2.37.10 and I have followed the guidance from the link DHIS2 doc - LDAP Configuration and does not work. The log shows the error:
Caused by: org.springframework.ldap.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:389; nested exception is javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:389 [Root exception is java.net.SocketException: Connection reset].
Do you know what is causing issues and how to fix it?
There might be so many reasons in the configuration that could be causing the error to appear so it might actually help to get the complete Catalina.out log (without sensitive/authentication info), so could you share it please?
Additionally, could you check the logs in the LDAP server itself and see if there are any errors which could be shared?
@Gassim is quite correct in that a number of things could be incorrectly configured. There are a few easy places to eliminate early on in the troubleshooting process.
- Is port 389 enabled in the firewall
- Is your ldap server listening on the correct socket (ip and port number)
- Is the associated username and password combo configured correctly and has it been tested to confirm.
Ofcourse these are just a few. There would be more to eliminate as you go. Would you be able to confirm the three points above and perhaps share a larger snippet of the catalina log ? Those would most certainly also assist.
From South Africa
Dear @Gassim and @potlaki,
Thanks for your prompt response. We have setup the LDAP configuration for REDCap system and is working. I wonder know why it does not working for DHIS2 using the same parameters/configurations?
Please find attached the log file.
logs.docx (21.1 KB)
Are you using secure ldap ? I assume your ldap server is insisting on a secure connection either way. If that is the case, it could be then that the LDAP service is using an SSL certificate for authentication.
Your connection string should be composed of the domain plus the port (e.g contoso.com:389). I see you have redacted an IP address. Does it mean the connection string is composed of the IP address and not the URL ?
RWC World Cup Champs
Hi @potlaki and @Gassim
According with our ICT department, there is no CA certificate for this as the LDAP server is not public facing.
I have also tried with DN/IP and port 389 and still throwing the same error that I have shared with you.
when set to port 636 the error throwing changes to:
Caused by: javax.naming.CommunicationException: simple bind failed: IP/DN:636
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am still testing the LDAP configuration. When test only with LDAP://DN:389 (without “S”), I am getting the error:
INFO 2023-11-20T08:03:00,075 Authentication event: AuthenticationFailureBadCredentialsEvent; username: eossemane; ip: 0.0.0.0; sessionId: f64b2afeba038760404e14e52b30bd154c5eb4f01d9fc3b664e39713484124b7; exception: Bad credentials (AuthenticationLoggerListener.java [http-nio-8080-exec-10]) INFO 2023-11-20T08:03:00,075 Login attempt failed for remote IP: 0.0.0.0 (AuthenticationListener.java [http-nio-8080-exec-10])
On the other hand, when test using port 636, I am getting different error:
ERROR 2023-11-20T08:12:20,167 An internal error occurred while trying to authenticate the user. (AbstractAuthenticationProcessingFilter.java [http-nio-8080-exec-10]) org.springframework.security.authentication.InternalAuthenticationServiceException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: LDAP connection has been closed.
Looks like you are making progress. You’ve gone from not listening on the socket to failed creds. Check the credentialss you have entered in dhis.conf and make sure they correspond with the ones you have saved in your password manager.