Re: JNDI: LDAPv3 with StartTLS

Sun, 15 Aug 2010 13:50:31 -0700 

Reading your original request, you're using an external certificate to go 
against your LDAP server, right?

If so, you might try using Felix's code, and then adding 
authentication="EXTERNAL" to the Realm configuration.

Your JNDIRealm configuration would then end up looking like:

<Realm className="org.apache.catalina.realm.JNDIRealm"
       connectionURL="ldap://mail.brainsware.org:389/";
       alternateURL="ldap://mail.esotericsystems.at:389";
       commonRole="admin"
       connectionName="uid=whatever"
       connectionPassword="securityisgreat."
       userBase="ou=people,dc=brainsware,dc=org"
       userPattern="(uid={0})(postOfficeBox=internal_projects)"
       startTLS="true"
       authentication="EXTERNAL"
       userSearch="(uid={0})" />

That is, if I'm reading the StartTLS tutorial, Realm configuration docs, and 
org.apache.catalina.realm.JNDIRealm.java code correctly . . .

Another approach to using Felix's code is to create a separate class,  put it 
in 
a jar, and then add that jar to $CATALINA_HOME/lib. You'll  have to add an 
MBeans descriptor as well. How to do all that is documented:

(Realm) http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Overview
(MBeans) http://tomcat.apache.org/tomcat-6.0-doc/mbeans-descriptor-howto.html

That way you'll have a generic Tomcat instead of a patched version.

. . . just my two cents

/mde/



----- Original Message ----
From: Igor Galić <[email protected]>
To: Tomcat Users List <[email protected]>
Sent: Sun, August 15, 2010 12:10:56 PM
Subject: Re: JNDI: LDAPv3 with StartTLS


> If you are feeling lucky and are willing to compile tomcat yourself,
> you
> can try the attached diff. I haven't tested it, since I don't have an
> ldap server around at the moment.
> 
> You have to extend the realm configuration with
>   <Realm ...
>      startTLS="true"
>    ... />

Hi Felix,

thanks for quick work!

I've checked out the 6.0 branch, applied the patch, compiled it and run it
with
+               <Realm className="org.apache.catalina.realm.JNDIRealm"
+                       connectionURL="ldap://mail.brainsware.org:389/";
+                       alternateURL="ldap://mail.esotericsystems.at:389";
+                       commonRole="admin" connectionName="uid=whatever" 
connectionPassword="securityisgreat."
+                       userBase="ou=people,dc=brainsware,dc=org" 
userPattern="(uid={0})(postOfficeBox=internal_projects)"
+                       startTLS="true"
+                       userSearch="(uid={0})" />

(I have my config files in subversion, this is svn diff)

But the logoutput:
INFO: Starting Servlet Engine: Apache Tomcat/6.0.0-dev
Aug 15, 2010 7:06:02 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - 
confidentiality required]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.InitialContext.<init>(InitialContext.java:197)
        at 
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
        at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1981)
        at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2086)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
        at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)


And the wireshark scan:

r...@iris ~ # tshark  host 188.40.115.116 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [SYN] Seq=0 
Win=5840 Len=0 MSS=1460 TSV=1143986316 TSER=0 WS=7
  0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=52538737 TSER=1143986316 WS=7
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=1 Ack=1 
Win=5888 Len=0 TSV=1143986316 TSER=52538737
  0.000000 188.40.115.116 -> 188.40.115.121 LDAP bindRequest(1) "uid=whatever" 
simple 

  0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [ACK] Seq=1 Ack=54 
Win=5888 Len=0 TSV=52538737 TSER=1143986316
  0.004000 188.40.115.121 -> 188.40.115.116 LDAP bindResponse(1) 
confidentialityRequired (confidentiality required) 

  0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=54 
Ack=39 
Win=5888 Len=0 TSV=1143986316 TSER=52538738
  0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [FIN, ACK] Seq=54 
Ack=39 Win=5888 Len=0 TSV=1143986317 TSER=52538738
  0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [FIN, ACK] Seq=39 
Ack=55 Win=5888 Len=0 TSV=52538738 TSER=1143986317
  0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=55 
Ack=40 
Win=5888 Len=0 TSV=1143986317 TSER=52538738

Suggest no change at this point.

(Btw, it doesn't matter which JDK I use)

> HTH
>  Felix

Bye,
i
-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: [email protected]
URL: http://brainsware.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]





---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to