Am Sonntag, den 15.08.2010, 14:14 +0000 schrieb Igor Galić: > Hi folks, > > I'm running Hudson in Tomcat 6.0.29 on Debian/Squeeze/amd64 with > > i.ga...@pheme /opt/tomcat6 % java -version > java version "1.6.0_18" > OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-1) > OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode) > > I'm starting the server with: > CATALINA_OPTS-"-Djava.awt.headless=true -Djavax.net.debug=ssl:handshake > -DHUDSON_HOME=${CATALINA_HOME}/webapps/hudson -Xmx512m" > > In server.xml's Engine context there is a single JNDI Realm configured: > > <Engine name="Catalina" defaultHost="localhost"> > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldap://mail.brainsware.org:389/" > alternateURL="ldap://mail.esotericsystems.at:389" > commonRole="admin" connectionName="uid=whatever" > connectionPassword="securityisgreat." > userBase="ou=people,dc=brainsware,dc=org" > userPattern="(uid={0})(postOfficeBox=internal_projects)" > userSearch="(uid={0})" /> > > The LDAP server I'm connecting to is Zimbra (OpenLDAP), and requires > StartTLS. It has a valid Certificate, signed by Go Daddy. > I've made sure that all parts of Go Daddy's chain are in the JVM's cacerts. > > When starting the server, I see this in the log: > > INFO: Starting Servlet Engine: Apache Tomcat/6.0.29 > Aug 15, 2010 2:04:18 PM org.apache.catalina.realm.JNDIRealm open > WARNING: Exception performing authentication > javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - > confidentiality required] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3023) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > at javax.naming.InitialContext.init(InitialContext.java:240) > at javax.naming.InitialContext.<init>(InitialContext.java:214) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) > at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1954) > at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2045) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) > at > org.apache.catalina.core.StandardService.start(StandardService.java:519) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:581) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > > > I've traced the operation with wireshark only to find it's not even trying to > do any kind of SASL negotiation. > That seems weird, since: > http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-com.sun/jndi/com/sun/jndi/ldap/LdapClient.java.htm > suggests it should be doing that by default. If I read http://java.sun.com/products/jndi/tutorial/ldap/ext/starttls.html correctly, I would say, that you have to tell ldapclient explicitly to use tls, which the jndirealm does not.
Bye Felix > > I'm out ideas now. and welcome any advise you can offer. > > So long o/~ > -- > Igor Galić > > Tel: +43 (0) 664 886 22 883 > Mail: i.ga...@brainsware.org > URL: http://brainsware.org/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org