[jira] [Commented] (DIRSTUDIO-1173) StartTLS fails when required by LDAP service

Thu, 01 Mar 2018 07:29:43 -0800 

    [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-1173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16382153#comment-16382153
 ] 

Anthony Winstanley commented on DIRSTUDIO-1173:
-----------------------------------------------

The "Use ManageDsaIT control while browsing" Control is unselected.

I did some more testing.
We typically use the JNDI Provider as our backend is 389-ds, not Apache 
Directory. However, if I use the "Apache Directory LDAP Client API" Provider 
instead of JNDI, it works! And wireshark shows that ADS is using 
LDAP_START_TLS_OID without the extra control. Furthermore, whilte using "Apache 
Directory LDAP Client API", I can toggle "Use ManageDsaIT control while 
browsing", and the connection is successful with either setting.

So, what might the difference be between the two providers?

(By the way, we switched to JNDI because we were experiencing hanging on 
connect with "Apache Directory LDAP Client API". Don't know if this would still 
be a problem, but I will try using the latter.)

> StartTLS fails when required by LDAP service
> --------------------------------------------
>
>                 Key: DIRSTUDIO-1173
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1173
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M13
>         Environment: Windows 10 Pro 64bit
>            Reporter: Anthony Winstanley
>            Priority: Major
>
> We have 389-ds sitting behind an f5 load balancer. The load balancer requires 
> connections on port 389 to use StartTLS. It makes connections to the 389-ds 
> servers on port 389 using StartTLS.
> If I connect directly to port 389 on a 389-ds server with "Use StartTLS 
> extension", the connection is fine. If I change the hostname of this 
> connection to the load-balanced hostname, I get:
> "The connection failed - [LDAP: error code 48 - STARTTLS required]"
> However, ldapsearch successfully makes STARTTLS connections through the load 
> balancer like:
> ldapsearch -x -H ldap://lbhost.example.com -ZZ
>  
>  
> My guess is that ADS is not activating StartTLS soon enough when connecting 
> to port 389... which is fine if the connection doesn't require the use of 
> StartTLS, but unworkable when it does.
> Of course, I'm hoping this is an easy fix...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to