Description of problem: Changing the ldap url to point to a secured port and checking the 'SSL' box displays "Failed to load LDAP groups available for role" in message center and the UI query progress shows 'Loading' in role assignment UI. The server log displays stack trace with "LDAP communication error: 10.65.201.128:636; socket closed: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed". Message center in UI shows below: -------------------------------------------------------------- Message : Failed to load LDAP groups available for role. Severity : Error Time : Monday, November 25, 2013 6:16:24 PM UTC+5:30 Root Cause : javax.naming.ServiceUnavailableException:10.65.201.128:636; socket closed Detail : java.lang.RuntimeException:[1385383584134] javax.ejb.EJBException:org.rhq.enterprise.server.exception.LdapCommunicationException: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> org.rhq.enterprise.server.exception.LdapCommunicationException:javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> javax.naming.ServiceUnavailableException:10.65.201.128:636; socket closed --- STACK TRACE FOLLOWS --- [1385383584134] javax.ejb.EJBException:org.rhq.enterprise.server.exception.LdapCommunicationException: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> org.rhq.enterprise.server.exception.LdapCommunicationException:javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> javax.naming.ServiceUnavailableException:10.65.201.128:636; socket closed at Unknown.RuntimeException_0(Unknown Source) at Unknown.instantiate_32(Unknown Source) at Unknown.$instantiate_0(Unknown Source) at Unknown.$instantiate(Unknown Source) at Unknown.$readObject(Unknown Source) at Unknown.$onResponseReceived(Unknown Source) at Unknown.onResponseReceived_6(Unknown Source) at Unknown.$fireOnResponseReceived(Unknown Source) at Unknown.onReadyStateChange_0(Unknown Source) at Unknown.anonymous(Unknown Source) at Unknown.apply(Unknown Source) at Unknown.entry0(Unknown Source) at Unknown.anonymous(Unknown Source) at Unknown.anonymous(Unknown Source) ---------------------------------------- Please refer the attached screenshot of role assignment UI and server log for stack trace. Version-Release number of selected component (if applicable): JON Version : 3.2.0.ER7 Build Number : e8e6401:ff0061d LDAP server: Windows 2003 Active directory server How reproducible: Always Steps to Reproduce: 1. Configure JON server to use an ldap server over non-ssl. 2. Verify that user is able to browse available groups in role assignment UI 3. Change the ldap url to point to a secured port and check the 'SSL' box. 4. Navigate to role assignment UI. 5. Click on LDAP groups tab. 6. The query progress shows 'Loading' and ldap groups are not displayed in available roles. 7. UI shows a message in message center 'Failed to load LDAP groups available for role'. 8. Server log shows stack trace. Actual results: ldap ssl connections fails to load LDAP groups available for role Expected results: ldap ssl connections should work and load LDAP groups available for role in role assignment UI. Additional info:
Created attachment 828671 [details] Screenshot_RoleAssignment_UI
Created attachment 828672 [details] Server_log
added GA blocker to flag this for discussion and triage
sunil ... can you verify the validity of this BZ ... "Caused by: org.rhq.enterprise.server.exception.LdapCommunicationException: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed" -- that probably means SSL is not set up correctly. skondkar did not write in the BZ if he imported any server certificate or public key etc. into his JON jvm. If he did not, then SSL handshake probably failed and the LDAP-server closed the connection for that reason
Tested with JON 3.2 alpha53 build where the SSL connection was working.. (Version: 3.2.0.ALPHA_QA Build Number: 1878d58:5e6b489 ) More details on steps: 1. Navigate to Administration->system Settings 2. Enter below details in LDAP Configuration Properties: 3. Enable LDAP : Yes 4. Search Base: dc=pnq,dc=redhat,dc=com 5. Username: cn=Administrator,cn=users,dc=pnq,dc=redhat,dc=com 6. Password: redhat 7. Search Filter: objectclass=* 8. Group Search Filter: objectclass=group 9. Group Member Filter: member 10. Use Group Query Paging: Yes 11. Group Search Page Size: 1000 12. Is PosixGroup: No 13. Login Property: cn 14. LDAP URL: ldap://10.65.201.128:636 15. SSL: Yes 16. Click save 17. Navigate to role assignment UI. The connection works on JON3.2 Alpha53 build and displays available LDAP groups in role assignment UI The connection fails to display LDAP roles in JON3.2 ER7 build as described in the bug.
This is fixed with commit e5887ddb552e80 to release/jon3.2.x. Moving this to MODIFIED for testing/re-testing with next brew build. The fix is a one line fix in the LDAPGroupManagerBean around ssl handling and does not affect any other functionality. We missed this in manual testing as I am not currently aware of any automated cli or UI testing that covers this specific use case. Automated testing in this area will involve installation, configuration and integration of an additional server with a running JON server. We should put some more effort into this area if possible although if it was easier we would have already added such automation. From the dev side, this is leftover fallout from property migration throughout the product that occurred several months ago. This permutation was not explicitly exercised since that change.
Moving to ON_QA for testing in latest(CR1) brew build.
Verified on Version : 3.2.0.CR1 Build Number :6ecd678:d0dc0b6 LDAP ssl connection works and LDAP groups are available in role assignment UI. Verified ldap authentication and authorization is working with ssl and non-ssl connections. Verified on Windows 2003 Active directory server and Redhat Directory Server 8.2.0.