Not able to authenticate against the LDAP - ST_ERROR_LDAP_NOT_REACHABLE

Hello,

I am quite new to Sametime. I tried to install Sametime 12.0.1 on RHEL and Docker.

I was able to finish the installation and I am able to access the web interface for meeting and chat, but I am not able to log in to the system.

Here is my LDAP configuration:

# LDAP configuration
LDAP_HOST_ENV=ldap.jumpcloud.com
LDAP_PORT_ENV=
LDAP_SSL_ENABLED_ENV=1
LDAP_SSL_PORT_ENV=636
LDAP_BIND_ENTRY_DN_ENV=uid=testvdi,ou=Users,o=5b5725ebd,dc=jumpcloud,dc=com
LDAP_BIND_ENTRY_PWD_ENV=<Password>
LDAP_PERSON_RESOLVE_BASE_ENV=ou=Users,o=5b5725ebd,dc=jumpcloud,dc=com
LDAP_GROUP_RESOLVE_BASE_ENV=ou=Users,o=5b5725ebd,dc=jumpcloud,dc=com

The errors I see are the following:

- login > SDK.loggedOut loginId:testvdi loginMethod:byPassword
- login > SDK.loggedOut: error: 80001001 : ST_ERROR_LDAP_NOT_REACHABLE
- authenticate: LOGGED_OUT: bad login or password. error: 80001001 : ST_ERROR_LDAP_NOT_REACHABLE

The other error is:

- LoginFailed userName=testvdi organization= IP=172.21.0.8 app=(0x14c3)(5315) reason=(0x80001001) 

I use JumpCloud as an LDAP source: https://support.jumpcloud.com/support/s/article/using-jumpclouds-ldap-as-a-service1

I thought the issue is caused by the fact, that I can't connect to the LDAP server, but I was able to perform the following test successfully from inside the pod.

[notes@ea959fc31938 notesdata]$ curl ldap://ldap.jumpcloud.com:389/
DN: 
        objectClass: top
        objectClass: OpenLDAProotDSE
[notes@ea959fc31938 notesdata]$ curl ldaps://ldap.jumpcloud.com:636/

DN:

objectClass: top

objectClass: OpenLDAProotDSE
[notes@ea959fc31938 notesdata]$

So I am able to access the LDAP server. The SSL certificate is signed by GoDaddy. In this case, I expect, that it does not need to be imported separately and can use system certificates.

Then I thought it can be caused by the SSL certificate. I installed OpenLDAP locally just plain LDAP without STARTTLS, but the error was the same.

Do you please have any idea what can cause the issue and how to solve it (or use a workaround)?

Thank you
Ondrej

Please open a case - we likley need to see more of the logs and configuration from the Community pod to determine the exact cause. For instance - are we loading the trust store correctly?

I also note that you have -

LDAP_PORT_ENV= <empty>

I believe it should be set to a valid port - even if it will nto be used - as it completes the configuration - so set it to

LDAP_PORT_ENV=389

and see if that changes anything.

Hello Anthony,

Thank you for your quick response. I tried to fill in

unzip_sametime-proxy-1         | 2022-11-25 19:03:59.143  INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
unzip_sametime-proxy-1         | 2022-11-25 19:03:59.144  INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
unzip_sametime-proxy-1         | 2022-11-25 19:03:59.145  INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 1 ms
unzip_sametime-community-1     | stlogger        2022-11-25 19:03:59.218 INFO    72 --- 140641748685504  :  Loading STLogResource library: [/local/notesdata/stlogresources.res],
unzip_sametime-community-1     | stlogger        2022-11-25 19:03:59.218 INFO    72 --- 140641748685504  :  Successfully loaded resource dll. [/local/notesdata/stlogresources.res],
unzip_sametime-community-1     | stlog           2022-11-25 19:03:59.218 INFO    72 --- 140641748685504  :  LoginFailed userName=testvdi organization= IP=172.23.0.10 app=(0x14c3)(5315) reason=(0x80001001)
unzip_sametime-proxy-1         | 2022-11-25 19:03:59.219  WARN 1 --- [tching thread.1] com.hcl.sametime.proxy.STLoginUtil       : > login > SDK.loggedOut loginId:testvdi loginMethod:byPassword
unzip_sametime-proxy-1         | 2022-11-25 19:03:59.221  WARN 1 --- [tching thread.1] com.hcl.sametime.proxy.STLoginUtil       : < login > SDK.loggedOut: error: 80001001 : ST_ERROR_LDAP_NOT_REACHABLE
unzip_sametime-proxy-1         | 2022-11-25 19:03:59.222  WARN 1 --- [nio-8080-exec-1] com.hcl.sametime.proxy.STAuthProvider    : < authenticate: LOGGED_OUT: bad login or password. error: 80001001 : ST_ERROR_LDAP_NOT_REACHABLE
unzip_sametime-nginx-1         | {"time_local":"25/Nov/2022:14:03:59 -0500","remote_addr":"192.168.122.1","remote_user":"-","request":"POST /stwebapi/user/connect HTTP/2.0","status": "401","body_bytes_sent":"127","request_time":"0.160","http_referrer":"https://sametime.example.com/chat/login","http_user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","http_x_forwarded_for":"-"}
unzip_sametime-community-1     | stconvomap      2022-11-25 19:04:04.376 INFO    0 --- 41 : MongoMemberManager - Membership cleanup : Number of records deleted: 0
unzip_sametime-jibri-1         | 2022-11-25 14:04:05.752 FINE: [20] org.jitsi.jibri.webhooks.v1.WebhookClient.log() Updating 0 subscribers of status

the LDAP_PORT_ENV, but the result is still the same.

I will try to create a support ticket.

Thank you
Ondrej

@Ondrej Ziska

your error still suggests a network issue.

: > login > SDK.loggedOut loginId:testvdi loginMethod:byPassword
: < login > SDK.loggedOut: error: 80001001 : ST_ERROR_LDAP_NOT_REACHABLE
: < authenticate: LOGGED_OUT: bad login or password. error: 80001001 : ST_ERROR_LDAP_NOT_REACHABLE

Please verify that from a network perspective you can connect

from the server where sametime is installed

Open a command prompt

and telnet to ldap.jumpcloud.com on port 389 or 636

if you cannot telnet to the LDAP server on the Port configured, Sametime will not as well

Hello @Daniel Oliveira,

Unfortunately, this is, I think, not possible. There is no telnet installed inside the chat-server image. There is also no dnf or yum utility to install it and no other tools I know how to use (nc, nmap, openssl).

There is a test with CURL in my initial post which I think gives us proof, that the server is accessible.

I made another test with the following commands and it was successful as well.

[notes@5ba0f7030640 bin]$ (timeout 1 bash -c '</dev/tcp/ldap.jumpcloud.com/389 && echo PORT OPEN || echo PORT CLOSED') 2>/dev/null
PORT OPEN
[notes@5ba0f7030640 bin]$ (timeout 1 bash -c '</dev/tcp/ldap.jumpcloud.com/636 && echo PORT OPEN || echo PORT CLOSED') 2>/dev/null
PORT OPEN

I tested access from the host where Docker is installed and was successful too.

[root@sametime ~]# telnet ldap.jumpcloud.com 389
Trying 3.70.144.176...
Connected to ldap.jumpcloud.com.
Escape character is '^]'.
^G
07x2
Invalid ldap packet�1.3.6.1.4.1.1466.20036Connection closed by foreign host.
[root@sametime ~]# telnet ldap.jumpcloud.com 636
Trying 3.71.193.149...
Connected to ldap.jumpcloud.com.
Escape character is '^]'.

Thank you and reards
Ondrej

I have the same issue on two Sametime installations.

Community server can reach 389 unencrypted but there is not network activity when 636 encrypted is configured. I verified with tcpdump.

It seems that the docker blocks outgoing 636.

What was the resolution for this?

Carsten -

Please open a case for this - the reasons for the error can be for various reasons and only a review of the logs and configuration will point us to the issue.

The first things I would check if I see no network activity at all would be keystore configuration and DNS.

Works for LDAP_SSL_ENABLED_ENV=0, doesn't work for LDAP_SSL_ENABLED_ENV=1. Doesn't seem to be an DNS issue.

# LDAP configuration

LDAP_HOST_ENV=someldap.domain.com

LDAP_PORT_ENV=389

LDAP_SSL_ENABLED_ENV=0

LDAP_SSL_PORT_ENV=636

Which keystore configuration?

I will replicate in a test environment and open a ticket.

@Carsten Gericke

Did you find the RCA for this ? ("Works for LDAP_SSL_ENABLED_ENV=0, doesn't work for LDAP_SSL_ENABLED_ENV=1. Doesn't seem to be an DNS issue.") Having the same problem eventhough (imho) SSL is correctly configured in my environment. HCL is analysing the problem atm but any input/idea is appreciated to get rid of this problem.

If you have a case open, let me know I can take a peek.