I have logged the network activity with wireshark and discovered that the non functioning ldaps connection is due to an unknown certificate from the ldap server. The ldap configuration over standard port 389 works fine.
I have downloaded the certificate from the wireshark packages:
http://moonbutblack.blogspot.com/2013/10/exporting-server-certificate-from.html
And imported it into java:
https://docs.oracle.com/cd/E19509-01/820-3399/ggfrj/index.html
But that doesn't seem to be the solution because the same response is given from my traccar server to the ldap server.
I'm no expert in this so maybe I skipped a few steps?
It seems that every java app can have it's own keystore. So I needed to find the keystore that traccar was using. And I found one here:
C:\Program Files\Traccar\jre\lib\security\cacert
I've added my certificates to that keystore but that didn't seem to do the trick. Maybe better luck tomorrow
Alright, it seems that traccar is not using the cacert store in the directory of my previous post but the one in the JRE directory:
C:\Program Files\Java\jre1.8.0_161\lib\security
Adding the certificate from the LDAPS server (and/or the root CA) to that store did the trick. I can now login using LDAP/SSL.
I would advise the owner of the documentation site to extend the LDAP documentation to describe how to use LDAPS since SSL connections are getting to be the default (and a good thing that is!).
Ow, but I would also like to advise to add error logging for the ldap connection.
Hi Mathias, can you please share with us your traccar.xml file as an example
specially for those lines :
<entry key='ldap.idAttribute'>cn</entry>
<entry key='ldap.nameAttribute'>displayName</entry>
<entry key='ldap.mailAttribute'>mail</entry>
<entry key='ldap.searchFilter'>(|(cn=:login)(mail=:login))</entry>
and i want to know if thevalues you've putted here are default values of just an example
Thank you
hello Walid. What I have posted in my topicstarter is my traccar config file. It are not the default values. You should find out how your LDAP is built up in order to fill in these values. In my LDAP, the cn parameter is used as windows username.
Thank you Mathias
Hello, Mathias i couldn't login trought ldap even after adding the generated client certificate from ldap server (i tested the auth with ldp.exe and it's working)
how did you add the client certificate ?
Thank you in advance !
I've used this command :
keytool -import -trustcacerts -alias alias -file certificate_filename
-keystore cacerts_filename
My best advice would be to use Wireshark to analyze the network packages that are being exchanged between your traccar server and the ldap. Then you'll see more of the problem
Thank you Mathis !
Hi Mathias,
i've added the certificate but i still getting null pointer exception when trying to connect using LDAPS (i verified my credentials they are correct) and analysed the exchanged traffic from traccar and ldap server and i saw one line where it's says:
202 22.470097 10.0.0.40 10.0.0.41 HTTP 133 POST /fake-login.html HTTP/1.1 (application/x-www-form-urlencoded)
can you please post a tutorial on how you did it from creating the certificate to adding it until the final login ?
because i know that I'm missing something sins there is someone who did it
Thank you again for your help
Hello Redofi,
Have you tried wireshark? The log that you've posted seems to be from a webserver but doesn't give information about your problem.
And how did you obtain the SSL certificate from the LDAP server? I've downloaded it from the wireshark messages.
If you don't know how to use wireshark, then don't be afread to learn it. Install it on the traccar server. Open it. Configure your LDAP config in traccar for SSL. Restart traccar server. Then right before you click on the button to login, start the capture (the blue shark fin top left). Click the loginbutton and immediately stop wireshark (red stop button). That's to reduce the number of messages you need to analyse. Then add a filter like: ip.dst == {your ldap server ip} or ip.src == {your ldap server ip} and start analysing the packages looking for errors. I can't remember everything but there were packages with "Server hello" and "Client hello" and not far after was the relevant error. To be sure I added the right certificate to the keystore, I've downloaded the certificate from the wireshark packages (certificate is mentioned somewhere)
Sorry, I'm not going to write a full tutorial.
Hi Mathias, the line is from wireshark not from server log (and i know how to use it ) (i just did right click on the line and copy -> summary as text and past it here) after i filtred the exchanged traffic that are been exchanged with the ldaps server that have an ip adress of 10.0.0.41 with ip.addr == 10.0.0.41.
i obtained the certificate by installing the Active directory certificate services then i created a private key using certificate service installation wizard after that i exported the public key using the MMC
i've also verified that the ldap is working fine over ssl using ldp.exe
link of the tutorial i've followed : https://techcommunity.microsoft.com/t5/sql-server/step-by-step-guide-to-setup-ldaps-on-windows-server/ba-p/385362
Thanks a lot for your help
And do you see an error in wireshark about the certificate? Because if the certificate is added to the right keystore and properly used by traccar, but you still have trouble logging in over ldaps, then it's not the certificate that is the issue.
Hello,
I need to setup an LDAP(s) connection in traccar. I think my config is OK but it is not working. It could be that the problem is not related to the configuration of traccar but with ldap permissions. I'd like to troubleshoot this but cannot find any log entries.
This is my ldap configuration in conf/traccar.xml:
<entry key='ldap.enable'>true</entry> <entry key='ldap.port'>636</entry> --> <entry key='ldap.url'>ldaps://msnet.railb.be:636</entry> <entry key='ldap.base'>DC=msnet,DC=railb,DC=be</entry> <entry key='ldap.idAttribute'>cn</entry> <entry key='ldap.nameAttribute'>displayName</entry> <entry key='ldap.mailAttribute'>mail</entry> <entry key='ldap.searchFilter'>(|(cn=:login)(mail=:login))</entry> <entry key='ldap.adminGroup'>A1681_Admins</entry> <entry key='ldap.user'>***</entry> <entry key='ldap.password'>***</entry>
At login, I just get the error that username/password is incorrect. I don't see any attempt to contact the LDAP server in the logfiles. I have set up a specific log in the configuration for this purpose:
<entry key='logger.enable'>true</entry> <entry key='logger.file'>C:\Program Files\Traccar\logs\custom.log</entry>
Are ldap actions not logged? Any other pointers?
Thanks!