Hi Leonardo On jexplorer don't use any certificate, since stunned handles that for you. It's an "insecure to secure" TCP tunnel.
In jexplorer use 127.0.0.1:1636 as the server / port to connect Select "no encryption" in jexplorer. And use the root path as the one mentioned in the previous emails (ou=Users,DC=myschool....) But try using the bind username / password That way you should be able to see all users / groups provisioned from Google and check attributes, etc.. On Fri, Jun 3, 2022, 17:28 <[email protected]> wrote: > dear Diego, I would also like to give you the result of the actions you > recommend + the Google Workspace logs: > > > > *Stunnel* > > in the stunnel.conf file I entered the following configuration: > > > > [ldap] > > client = yes > > accept = 127.0.0.1:1636 > > connect = ldap.google.com:636 > > cert = C:\tmp\cert\Google_2025_05_24_39655.crt > > key = C:\tmp\cert\Google_2025_05_24_39655.key > > > > and these are the logs: > > 2022.06.03 15:39:56 LOG5[main]: Reading configuration from file C:\Program > Files (x86)\stunnel\config\stunnel.conf > > 2022.06.03 15:39:56 LOG5[main]: UTF-8 byte order mark detected > > 2022.06.03 15:39:56 LOG5[main]: FIPS mode disabled > > 2022.06.03 15:39:56 LOG4[main]: Service [ldap] needs authentication to > prevent MITM attacks > > 2022.06.03 15:39:57 LOG5[main]: Configuration successful > > > > it seems to me that it is ok > > > > *JXplorer* > > In Security \ Client Certificates \ add Certificate \ I gave the Google > Workspace certificate file and a name and then the default password which > is "passphrase" > > Then I selected the imported certificate and clicked on Set Private Key \ > and I gave the Google Worksapce key file and then the default password > which is "passphrase" > > I clicked on the "Connect to DSA" button > > I set up the fields as follows: > > host: ldap.google.com > > port: 636 > > Protocol: LDAP v3 > > Base DN: ou = Users, dc = school name, dc = edu, dc = it > > Level: SSL + User + Password > > User DN: username of credentials generated with LDAP clients in Google > Worksapce > > Password: password of the credentials generated with the LDAP client in > Google Worksapce. > > I get the following error: > > Error opening connection: > > ldap.google.com:636 > > > > error details > > javax.naming.CommunicationException: ldap.google.com:636 [Root exception > is java.net.ConnectException: Connection timed out: connect] > > at com.sun.jndi.ldap.Connection.<init>(Unknown Source) > > at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source) > > at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) > > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown > Source) > > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown > Source) > > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) > > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) > > at > javax.naming.spi.NamingManager.getInitialContext(Unknown Source) > > at javax.naming.InitialContext.getDefaultInitCtx(Unknown > Source) > > at javax.naming.InitialContext.init(Unknown Source) > > at javax.naming.ldap.InitialLdapContext.<init>(Unknown > Source) > > at > com.ca.commons.jndi.JNDIOps.openContext(JNDIOps.java:529) > > at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:123) > > at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55) > > at > com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:59) > > at com.ca.commons.naming.DXOps.<init>(DXOps.java:41) > > at > com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46) > > at > com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:477) > > at > com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422) > > at > com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396) > > at > com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200) > > at > com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913) > > at > com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165) > > at java.lang.Thread.run(Unknown Source) > > Caused by: java.net.ConnectException: Connection timed out: connect > > at java.net.DualStackPlainSocketImpl.connect0(Native > Method) > > at java.net.DualStackPlainSocketImpl.socketConnect(Unknown > Source) > > at java.net.AbstractPlainSocketImpl.doConnect(Unknown > Source) > > at > java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) > > at java.net.AbstractPlainSocketImpl.connect(Unknown Source) > > at java.net.PlainSocketImpl.connect(Unknown Source) > > at java.net.SocksSocketImpl.connect(Unknown Source) > > at java.net.Socket.connect(Unknown Source) > > at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) > > at sun.security.ssl.SSLSocketImpl.<init>(Unknown Source) > > at > sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source) > > at > com.ca.commons.security.JXSSLSocketFactory.createSocket(JXSSLSocketFactory.java:517) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown > Source) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > > at java.lang.reflect.Method.invoke(Unknown Source) > > at com.sun.jndi.ldap.Connection.createSocket(Unknown > Source) > > ... 26 more > > > > *Google Workspace logs \ reporting \ audit and investigation \ LDAP log > events* > > *PREMISE: pippo.franco@school name.edu.it <http://name.edu.it> is the user > of the directory with which I am trying to log in to the captive portal on > a device connected to the inline wifi network.* > > *BlankDogue is the username of the credentials generated with the ldap > client* > > > > 2022-06-03T17:11:19+02:00 Association failed LDAP bind > with uid=pippo.franco,ou=Users,dc=school name,dc=edu,dc=it failed with > INVALID_CREDENTIALS. 3 PF > ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com > 3 > 0 0 > 53729df6-6fe4-44a2-a4f9-10a4fc28e94e > uid=pippo.franco,ou=Users,dc=school name,dc=edu,dc=it > INVALID_CREDENTIALS > > > > > > 2022-06-03T17:11:18+02:00 Successful search LDAP search > with (uid=pippo.franco) successful. 2 > PF > ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com > ou=Users,dc=school name,dc=edu,dc=it false > 0 0 (uid=pippo.franco) > WHOLE_SUBTREE > 53729df6-6fe4-44a2-a4f9-10a4fc28e94e > DEREF_FINDING_BASE_OBJ SUCCESS > dn > > > > > > 2022-06-03T17:11:18+02:00 Successful association LDAP bind with > BlankDogue successful. 1 PF > ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com > 3 0 > 0 > 53729df6-6fe4-44a2-a4f9-10a4fc28e94e > BlankDogue SUCCESS > > > > 2022-06-03T17:11:18+02:00 Successful association LDAP bind with > "" successful. 0 PF > ldap-d10f7ff5-98bc-416e-aba...@dasher-ldap-service-accounts.google.com.iam.gserviceaccount.com > 3 0 > 0 > 53729df6-6fe4-44a2-a4f9-10a4fc28e94e > SUCCESS > > > > > > > > Thanks > > > > > > *Da:* leonardo.izzo--- via PacketFence-users < > [email protected]> > *Inviato:* venerdì 3 giugno 2022 12:22 > *A:* 'Diego Garcia del Rio' <[email protected]>; > [email protected] > *Cc:* [email protected] > *Oggetto:* [PacketFence-users] R: Setting up a local source with Google > Workspace > > > > Hello Diego, in the meantime, thanks for the reply. > > > > In the 'Username Attribute' field, I entered 'uid' and in BaseDN I entered > ou = Users, dc = myschool, dc = edu, dc = it as you suggested. > > By clicking on the 'Test' button you get the result positive, so the > indicated parameters are probably correct. > > On my pf server configured in inline mode, I created a connection profile > having as source the local source configured with Google Workspace tested > correctly. > > In the captive portal that appears on the client side in the wifi on the > inline network, I enter the credentials of a Google Workspace user, but > unfortunately the error "Invalid login or password" comes out despite these > credentials are correct (id: [email protected]. It and password). > > > > How come? A thousand thanks > > > > *Da:* Diego Garcia del Rio <[email protected]> > *Inviato:* giovedì 2 giugno 2022 10:48 > *A:* packetfence-users <[email protected]> > *Cc:* [email protected] > *Oggetto:* Re: [PacketFence-users] Setting up a local source with Google > Workspace > > > > most of the defaults should work. For the username Attribute, 'uid' > should work. > > > > when you click on the "test" button for the bindDn and password, does it > work? > > > > make sure the ldap service is enabled as well (not just the credentials > generated). Its quite annoying as its not readily evident you > havent enabled the service > > > > > > > > > > > > Also, using "stunnel" (for certificate-based SSL tunneling to google) and > an ldap browser such as "jExplorer" you can test and see if you can browse > the ldap tree, make sure the credentials are ok, etc.. > > > > The bindDN is "just" the username, like "jdoe" > > > > but the BaseDN needs to have the prefix "ou=Users" such as the following: > > > > ou=Users,dc=myschool,dc=edu,dc=ar > > > > cheers! > > > > > > > > > > On Sun, May 29, 2022 at 1:43 PM leonardo.izzo--- via PacketFence-users < > [email protected]> wrote: > > Hello everyone, I have some doubts regarding some fields of the source in > question. > > > > In 'Bind DN' and 'Password' I have to enter the credentials generated by > the Google Workspace console -> Authentication section -> "Generate new > credentials". Quite right? > > In the 'Base DN' field I have entered the customer's domain in DN format, > i.e. the domain is schoolname.edu.it so in this field I have entered the > string: dc = schoolname, dc = edu, dc = it. Quite right? > > 'Host' = ldap.google.com on SSL port 636 > > 'SSL Verify Mode' = none > > 'Dead duration' = 60 > > 'Connection timeout' = 1 > > 'Request timeout' = 5 > > 'Response timeout' = 10 > > 'Scope' = Subtree > > 'Search Attributes' = null > > 'Append search attributes' = null > > 'Email Attribute' = mail > > 'Cache match' = off > > 'Monitor' = on > > 'Shuffle' = off > > 'Associated Realms' = nothing > > Also I wanted to know what to put in the 'Username Attribute' field. > > > > Thanks > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
