Re: JNDI: LDAPv3 with StartTLS

Sun, 15 Aug 2010 10:40:40 -0700 

Am Sonntag, den 15.08.2010, 14:14 +0000 schrieb Igor Galić:
> Hi folks,
> 
> I'm running Hudson in Tomcat 6.0.29 on Debian/Squeeze/amd64 with 
> 
> i.ga...@pheme /opt/tomcat6 % java -version
> java version "1.6.0_18"
> OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-1)
> OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode)
> 
> I'm starting the server with:
> CATALINA_OPTS-"-Djava.awt.headless=true -Djavax.net.debug=ssl:handshake 
> -DHUDSON_HOME=${CATALINA_HOME}/webapps/hudson -Xmx512m"
> 
> In server.xml's Engine context there is a single JNDI Realm configured:
> 
>         <Engine name="Catalina" defaultHost="localhost">
> 
>                 <Realm className="org.apache.catalina.realm.JNDIRealm"
>                         connectionURL="ldap://mail.brainsware.org:389/";
>                         alternateURL="ldap://mail.esotericsystems.at:389";
>                         commonRole="admin" connectionName="uid=whatever" 
> connectionPassword="securityisgreat."
>                         userBase="ou=people,dc=brainsware,dc=org" 
> userPattern="(uid={0})(postOfficeBox=internal_projects)"
>                         userSearch="(uid={0})" />
> 
> The LDAP server I'm connecting to is Zimbra (OpenLDAP), and requires 
> StartTLS. It has a valid Certificate, signed by Go Daddy.
> I've made sure that all parts of Go Daddy's chain are in the JVM's cacerts.
> 
> When starting the server, I see this in the log:
> 
> INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
> Aug 15, 2010 2:04:18 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - 
> confidentiality required]
>         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3023)
>         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
>         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
>         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
>         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
>         at 
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>         at 
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>         at 
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>         at 
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>         at 
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>         at 
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
>         at javax.naming.InitialContext.init(InitialContext.java:240)
>         at javax.naming.InitialContext.<init>(InitialContext.java:214)
>         at 
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
>         at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1954)
>         at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2045)
>         at 
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
>         at 
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
>         at 
> org.apache.catalina.core.StandardService.start(StandardService.java:519)
>         at 
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>         at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:616)
>         at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> 
> 
> I've traced the operation with wireshark only to find it's not even trying to 
> do any kind of SASL negotiation.
> That seems weird, since:
> http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-com.sun/jndi/com/sun/jndi/ldap/LdapClient.java.htm
> suggests it should be doing that by default.
If I read
http://java.sun.com/products/jndi/tutorial/ldap/ext/starttls.html
correctly, I would say, that you have to tell ldapclient explicitly to
use tls, which the jndirealm does not.

Bye
 Felix

> 
> I'm out ideas now. and welcome any advise you can offer.
> 
> So long o/~
> -- 
> Igor Galić
> 
> Tel: +43 (0) 664 886 22 883
> Mail: i.ga...@brainsware.org
> URL: http://brainsware.org/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to