Re: JNDIRealm using LDAP with SSL

[Hayo Schmidt]

Did you solve your problem? I don't get the whole thing to run.

Are you really able to use *ldaps* in the connectionURL. On my system i 
get the following error:
"LifecycleException:  Exception opening directory server connection:  
javax.naming.NamingException:
Cannot parse url: ldaps://localhost:636 [Root exception is 
java.net.MalformedURLException: Not an L
DAP URL: ldaps://localhost:636]"

If i just use ldap://localhost:636 i get this:
"LifecycleException:  Exception opening directory server connection:  
javax.naming.CommunicationExce
ption: Request: 1 cancelled"

Both doesn't really help defending network sniffers from stealing user 
data.

Hayo Schmidt

Chris Egolf schrieb:

Does anyone have any experience getting ldaps working w/ the 
JDNIRealms in Tomcat 4.1.24?  Regular LDAP is working fine, but when I 
change the connection URL to ldaps://<ldap-host>:636 I get the 
following error:

2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL 
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing 
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636 
[Root exception is javax.net.ssl.SSLException: Connection has been 
shutdown: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: No trusted certificate found]

My Realm element in server.xml:

<Realm  className="org.apache.catalina.realm.JNDIRealm" debug="99"
                resourceName="UserDatabase"
                connectionURL="ldaps://10.1.1.50:636"
                
connectionName="cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany"
                connectionPassword="password"
                userBase="o=MyCompany"
                userSearch="(&amp;(cn={0})(objectClass=inetOrgPerson))"
                userSubtree="true"
                roleBase="ou=WebAppGrp,ou=MyOU,o=MyCompany"
                roleSearch="(uniqueMember={0})"
                roleName="cn"
        />

Like I said, this works if connectionURL="ldap://10.1.1.50:389";.  I 
can connect to the LDAP server (Novell eDirectory) via SSL using a 
Java browser if I accept the certificate, so I wonder if that might 
have something to do with it.

I've also successfully followed the Config-SSL-HOWTO, accepted the 
certificate from the server and setup the keystore for the connector 
as described, but I get the feeling that this is strictly for enabling 
SSL over HTTP.

Thanks in advance.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]