[
https://issues.apache.org/jira/browse/DIRSTUDIO-1173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16381557#comment-16381557
]
Anthony Winstanley commented on DIRSTUDIO-1173:
-----------------------------------------------
Using ldapsearch yields the following:
{code:java}
Frame 1: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) on interface 0
Transmission Control Protocol, Src Port: 55422, Dst Port: 389, Seq: 1, Ack: 1,
Len: 31
Lightweight Directory Access Protocol
LDAPMessage extendedReq(1)
messageID: 1
protocolOp: extendedReq (23)
extendedReq
requestName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
[Response In: 2]
Frame 2: 112 bytes on wire (896 bits), 112 bytes captured (896 bits) on
interface 0
Transmission Control Protocol, Src Port: 389, Dst Port: 55422, Seq: 1, Ack: 32,
Len: 46
Lightweight Directory Access Protocol
LDAPMessage extendedResp(1)
messageID: 1
protocolOp: extendedResp (24)
extendedResp
resultCode: success (0)
matchedDN:
errorMessage:
responseName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
[Response To: 1]
[Time: 0.000730199 seconds]
{code}
Using ADS yields something slightly different:
{code:java}
Frame 1: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on
interface 0
Transmission Control Protocol, Src Port: 49906, Dst Port: 389, Seq: 1, Ack: 1,
Len: 60
Lightweight Directory Access Protocol
LDAPMessage extendedReq(1)
messageID: 1
protocolOp: extendedReq (23)
extendedReq
requestName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
[Response In: 2]
controls: 1 item
Control
controlType: 2.16.840.1.113730.3.4.2 (Manage DSA IT LDAPv3
control)
Frame 2: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) on interface 0
Transmission Control Protocol, Src Port: 389, Dst Port: 49906, Seq: 1, Ack: 61,
Len: 31
Lightweight Directory Access Protocol
LDAPMessage extendedResp(1) (STARTTLS required)
messageID: 1
protocolOp: extendedResp (24)
extendedResp
resultCode: inappropriateAuthentication (48)
matchedDN:
errorMessage: STARTTLS required
[Response To: 1]
[Time: 0.016039000 seconds]
{code}
What's with the LDAP control that ADS is using?
(I hope this is enough of the capture... I tried 3 different trace anonymisers
before giving up and summarizing...)
> StartTLS fails when required by LDAP service
> --------------------------------------------
>
> Key: DIRSTUDIO-1173
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1173
> Project: Directory Studio
> Issue Type: Bug
> Affects Versions: 2.0.0-M13
> Environment: Windows 10 Pro 64bit
> Reporter: Anthony Winstanley
> Priority: Major
>
> We have 389-ds sitting behind an f5 load balancer. The load balancer requires
> connections on port 389 to use StartTLS. It makes connections to the 389-ds
> servers on port 389 using StartTLS.
> If I connect directly to port 389 on a 389-ds server with "Use StartTLS
> extension", the connection is fine. If I change the hostname of this
> connection to the load-balanced hostname, I get:
> "The connection failed - [LDAP: error code 48 - STARTTLS required]"
> However, ldapsearch successfully makes STARTTLS connections through the load
> balancer like:
> ldapsearch -x -H ldap://lbhost.example.com -ZZ
>
>
> My guess is that ADS is not activating StartTLS soon enough when connecting
> to port 389... which is fine if the connection doesn't require the use of
> StartTLS, but unworkable when it does.
> Of course, I'm hoping this is an easy fix...
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
