Ok, my patch will not work, since new InitialDirContext(env) will not create a LdapContext, but a DirContext. You could try to change new InitialDirContext(env) into InitalLdapContext(env, null) as used in the sun startssl example.
I will test it tomorrow. But it may be easier to allow ssl with your ldap config :) Bye Felix Am Sonntag, den 15.08.2010, 19:10 +0000 schrieb Igor Galić: > > If you are feeling lucky and are willing to compile tomcat yourself, > > you > > can try the attached diff. I haven't tested it, since I don't have an > > ldap server around at the moment. > > > > You have to extend the realm configuration with > > <Realm ... > > startTLS="true" > > ... /> > > Hi Felix, > > thanks for quick work! > > I've checked out the 6.0 branch, applied the patch, compiled it and run it > with > + <Realm className="org.apache.catalina.realm.JNDIRealm" > + connectionURL="ldap://mail.brainsware.org:389/"; > + alternateURL="ldap://mail.esotericsystems.at:389"; > + commonRole="admin" connectionName="uid=whatever" > connectionPassword="securityisgreat." > + userBase="ou=people,dc=brainsware,dc=org" > userPattern="(uid={0})(postOfficeBox=internal_projects)" > + startTLS="true" > + userSearch="(uid={0})" /> > > (I have my config files in subversion, this is svn diff) > > But the logoutput: > INFO: Starting Servlet Engine: Apache Tomcat/6.0.0-dev > Aug 15, 2010 7:06:02 PM org.apache.catalina.realm.JNDIRealm open > WARNING: Exception performing authentication > javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - > confidentiality required] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at javax.naming.InitialContext.<init>(InitialContext.java:197) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82) > at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1981) > at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2086) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) > at > org.apache.catalina.core.StandardService.start(StandardService.java:519) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:581) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > > > And the wireshark scan: > > r...@iris ~ # tshark host 188.40.115.116 > Running as user "root" and group "root". This could be dangerous. > Capturing on eth0 > 0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [SYN] Seq=0 > Win=5840 Len=0 MSS=1460 TSV=1143986316 TSER=0 WS=7 > 0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [SYN, ACK] Seq=0 > Ack=1 Win=5792 Len=0 MSS=1460 TSV=52538737 TSER=1143986316 WS=7 > 0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=1 > Ack=1 Win=5888 Len=0 TSV=1143986316 TSER=52538737 > 0.000000 188.40.115.116 -> 188.40.115.121 LDAP bindRequest(1) > "uid=whatever" simple > 0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [ACK] Seq=1 > Ack=54 Win=5888 Len=0 TSV=52538737 TSER=1143986316 > 0.004000 188.40.115.121 -> 188.40.115.116 LDAP bindResponse(1) > confidentialityRequired (confidentiality required) > 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=54 > Ack=39 Win=5888 Len=0 TSV=1143986316 TSER=52538738 > 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [FIN, ACK] > Seq=54 Ack=39 Win=5888 Len=0 TSV=1143986317 TSER=52538738 > 0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [FIN, ACK] > Seq=39 Ack=55 Win=5888 Len=0 TSV=52538738 TSER=1143986317 > 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=55 > Ack=40 Win=5888 Len=0 TSV=1143986317 TSER=52538738 > > Suggest no change at this point. > > (Btw, it doesn't matter which JDK I use) > > > HTH > > Felix > > Bye, > i --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
