Hitachi Vantara Pentaho Community Forums
Results 1 to 21 of 21

Thread: How to force 4.10 PDI to use LDAPS instead of LDAP

  1. #1
    Join Date
    Sep 2012
    Posts
    13

    Default How to force 4.10 PDI to use LDAPS instead of LDAP

    We are generating a Report from LDAP using 4.10 stable version it has been working fine but now they are asking us to switch the LDAP connection to LDAPS. I am using LDAP input. Have been looking everywhere for some documentation of this subject with no luck. Can anyone give me some clue or pointing me to a document that describes how to force LDAPS when using LDAP Input?
    Any help would be greatly appreciated.

  2. #2
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    Secure LDAP connections were added to version 4.4, I think.
    This leaves you with the following options:

    • Upgrade to a newer version.
    • Add code to class LDAPConnection.
    • Use an external tool like ldapsearch or cURL for extraction to a file and then process with 4.1.
    So long, and thanks for all the fish.

  3. #3
    Join Date
    Sep 2012
    Posts
    13

    Default

    So we did upgrade to 4.4 version and I do see the LDAP option and the keystore path. I configured all the LDAP input call to use LDAPS and made sure the proper certs were in the keystore file. but I still am connecting using LDAP not LDAPS. SO when I run a test using LDAP input I still get LDAP 48 error, which tell me the connection still is in LDAP and not LDAPS.
    Have I missed anything else?
    Please help?

  4. #4
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    How is your LDAP-Input step configured exactly?
    Can you provide a zipped screenshot?
    What kind of LDAP server do you connect to?

  5. #5
    Join Date
    Sep 2012
    Posts
    13

    Default

    Name:  Untitled.jpg
Views: 74
Size:  21.4 KB

    Here is a screenshot of the configuration

  6. #6
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    Again, can you provide a zipped screenshot?
    So long, and thanks for all the fish.

  7. #7
    Join Date
    Sep 2012
    Posts
    13

    Default Screenshot zip file

    Screenshot zip file attached. Hope this works
    Attached Images Attached Images  
    Attached Files Attached Files

  8. #8
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    Lossy compressed images are no good.
    Try to attach a screenshot, don't use the tool button for inline image insertion.
    Use the tool button decorated with a clip in advanced editor mode for this.

    BTW: Error 48 is about inappropriate authentication - as if the user you specified isn't allowed to use Simple Bind for authentication.
    Last edited by marabu; 01-12-2018 at 05:42 PM.

  9. #9
    Join Date
    Sep 2012
    Posts
    13

    Default

    I added the screenshot zip file again. Hopefully this works. the 48 error is when I use LDAPS. If I use LDAP it work fine. So as if the LDAPS config is not taking affect, my LDAP server is only allowing LDAPS, so if you try to connect to it as LDAP it gives you 48 error. IF I ask LDAP server allow non-ssl and have the LDAP input use LDAP not LDAPS everything works fine.
    Thanks for your help
    Attached Files Attached Files

  10. #10
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    Quote Originally Posted by banaraki View Post
    the 48 error is when I use LDAPS
    Your screenshot says something else. You get that error when you try to connect to a non-standard port (15389) via LDAP protocol.

    If you want to use START TLS (LDAP extended control) make sure your server does support it, i.e. Root DSE contains supportedLDAPVersion=3 and suppoertedExtension=1.3.6.1.4.1.1466.20037 (Start TLS).

    If you really want to use LDAPS, make sure you specify protocol LDAP SSL and a corresponding port number.

    Out of curiosity, what type of LDAP server (vendor, product, version) do you try to connect to?

  11. #11
    Join Date
    Sep 2012
    Posts
    13

    Default

    thanks for your reply.
    I am using CA Directory, which allows you to define your own port for SSL and Non-SSL. The standard port for LDAPS is 636, but we are using 15389 for SSL. I have imported the root and chain certs to the keystore location in the screenshot. I can see the call that is made from the LDAP logs. it is not coming as SSL, it is coming as Non-SSL which my LDAP server won't allow. There is no issue with my LDAP server and port as I can connect LDAPS with other LDAP clients.
    Thanks for your help

  12. #12
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    Your directory service doesn't allow a simple bind authentication to use an unsecured connection.
    You say port 15389 is a relocated port 636, so you can't use LDAP.
    Your screenshot shows an error connecting via LDAP, though.

    Right now I think you simply don't know the difference between the protocol choices available with the Kettle LDAP steps:

    GUI setting meaning actual protocol
    LDAP no encryption LDAP
    LDAP SSL encryption via SSL LDAPS
    LDAP TLS encr. via Start TLS LDAP


    You can't use LDAP TLS because a server listening on an LDAPS port will not accept the Start TLS extended control.

    So, did you ever try LDAPS at all?

  13. #13
    Join Date
    Sep 2012
    Posts
    13

    Default

    Thanks for your reply.
    My LDAP server can service both TLS and SSL. I use Apache Studio LDAP browser and test the same connectivity TLS and SSL, on Apache studio both protocol works, but LDAP Input when I use TLS i get error 48 and when I use SSL I get LDAP exception error . I attached the screenshot of the exception stack.
    Thanks for your help
    Attached Images Attached Images

  14. #14
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    You think you can't connect via LDAPS, but your stack trace tells a totally different story.
    See that ClassNotFoundException?
    Kettle is looking for a class that's only present in 4.4 not in 4.1, but your run-time environment has still pointers to 4.1 (look out for PATH, CLASSPATH, KETTLE variables) which fool the ClassLoader.
    Set up a clean environment and you should be fine.

  15. #15
    Join Date
    Sep 2012
    Posts
    13

    Default

    Thanks for your reply.
    Let me review the steps with you.
    1) I downloaded 4.4 stable version
    2) unzipped it on the windows server
    3) ran spoon.bat
    4) the UI comes up, I just create a blank transformation
    5) drag an LDAP input
    6) edit staps and put in the LDAP connection information
    7) I click on test connection and I get the exception

    So I agree that I am missing a lib file, but it should be all there since I am running off a 4.4 folder. Do you the name of the lib file so maybe I can search my pat see if there is an old one in the path
    THanks for your help

  16. #16
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    The missing class is (4.4) or is not (4.1) part of kettle-engine.jar

    If you can't unzip 4.4 to a system that never saw 4.1 you really should look for changes you made to the environment after installation of 4.1.

    Good luck.

  17. #17
    Join Date
    Sep 2012
    Posts
    13

    Default Correct Screen shot of exception

    Thanks for your reply.
    So this time I went to a new windows server that has not seen any PDI installation. So I unzip the 44.zip file in the new server, again ran spoon.bat, brought up the UI, I created a new transform and used LDAP Input and I got the same exact error. Screenshot attached. I also include an screenshot that there is only kettle-engine.jar from 44 folder in this system. So it looks like on a system that has not seen PDI I am still unable to find a Lib file, I wonder if this is a Java lib file, my current Java version in this system is jdk1.7.0_151. I updated the correct exception screenshot
    Thanks for your help
    Attached Images Attached Images
    Last edited by banaraki; 01-22-2018 at 11:39 AM. Reason: Correct Screen shot of exception

  18. #18
    Join Date
    Sep 2012
    Posts
    13

    Default

    After all the troubleshooting I have done it looks like the issue is with kettle-engine.jar that is packaged by PDI4.4 stable. the file date is 11-21-2012 and 6906KB. this Jar does not have the CustomdSocketFactory

    Do you know what is the proper kettle-engine.jar to use for LDAPS, the one that is in the package has this lib missing

  19. #19
    Join Date
    Jun 2012
    Posts
    5,534

    Default

    The highlighted class is mistyped in the original source.
    You'll have to correct the classname and compile from source.
    Or try a newer version.

  20. #20
    Join Date
    Sep 2012
    Posts
    13

    Default

    Thanks for your reply. I fixed the problem. It looks like to me if you want to use LDAPS you have to use PDI-5.01-stable or higher. Once I used 5.01 the issue was resolved

  21. #21
    Join Date
    Apr 2008
    Posts
    4,696

    Default

    Quote Originally Posted by banaraki View Post
    Once I used 5.01 the issue was resolved
    If you're taking the time to do an upgrade, why would you not move to the newest version?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.