Issue #717 has been reported by Francesco Malvezzi.
----------------------------------------
Bug #717: StartTLS ignored
http://tools.lsc-project.org/issues/717
Author: Francesco Malvezzi
Status: New
Priority: Normal
Assigned to:
Category: Core
Target version:
Problem in version: 2.1.1
switch tlsActivated is ignored.
In order to enable, add following lines at: org.lsc.jndi.JndiServices line 410:
if(connection.isTlsActivated() != null) {
LOGGER.info("is TlsActivated? " + connection.isTlsActivated());
props.setProperty("java.naming.tls",
Boolean.toString(connection.isTlsActivated()));
}
but after then, i see:
ago 08 16:08:17 - INFO - Connecting to LDAP server
ldap://ldap2.example.org:389/dc=example,dc=org as
cn=provisionator,ou=agents,dc=example,dc=org with STARTTLS extended operation
ago 08 16:08:17 - DEBUG - found X509TrustManager
sun.security.ssl.X509TrustManagerImpl@3be61638
ago 08 16:08:17 - DEBUG - found X509TrustManager
sun.security.ssl.X509TrustManagerImpl@3be61638
ago 08 16:08:18 - DEBUG - Sending request
MessageType : BIND_REQUEST
Message ID : 1
BindRequest
Version : '3'
Name : 'cn=provisionator,ou=agents,dc=example,dc=org'
Simple authentication : 'secret/0x47 0x55 0x65 0x45 0x6D 0x4E 0x32 0x72
'
ago 08 16:08:18 - DEBUG - Adding <1,
org.apache.directory.ldap.client.api.future.BindFuture>
ago 08 16:08:18 - DEBUG - Adding <1,
org.apache.directory.ldap.client.api.future.BindFuture>
ago 08 16:08:18 - DEBUG - -------> MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : ''
Message received <-------
note the expected: "with STARTTLS extended operation"
Unfortunately something is still wrong:
Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 fd=42 ACCEPT from IP=my_ip:42469
(IP=0.0.0.0:389)
Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 STARTTLS
Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 RESULT oid= err=0 text=
Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 fd=42 TLS established tls_ssf=256
ssf=256
Aug 8 16:08:18 b1 slapd[2666]: conn=4282641 fd=42 closed (connection lost)
francesco@b1:~$ sudo grep 'conn=4282642' /var/log/ldap.log
Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 fd=44 ACCEPT from IP=my_ip:42470
(IP=0.0.0.0:389)
Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 op=0 BIND
dn="cn=provisionator,ou=agents,dc=example,dc=org" method=128
Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 op=0 RESULT tag=97 err=49 text=
Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 fd=44 closed (connection lost)
as you can read from slapd log, lsc creates a start_tls session, drops it then
starts a cleartext (no ssl, no tls) connection which fails due to the access
control list of the OpenLDAP.
Hope it helps,
Francesco
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://tools.lsc-project.org/my/account
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-dev mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-dev
