Re: JNDI: LDAPv3 with StartTLS

Sun, 15 Aug 2010 14:16:30 -0700 

----- "Mark Eggers" <[email protected]> wrote:

> Reading your original request, you're using an external certificate to
> go
> against your LDAP server, right?
> 
> If so, you might try using Felix's code, and then adding
> authentication="EXTERNAL" to the Realm configuration.
> 
> Your JNDIRealm configuration would then end up looking like:
> 
> <Realm className="org.apache.catalina.realm.JNDIRealm"
>        connectionURL="ldap://mail.brainsware.org:389/";
>        alternateURL="ldap://mail.esotericsystems.at:389";
>        commonRole="admin"
>        connectionName="uid=whatever"
>        connectionPassword="securityisgreat."
>        userBase="ou=people,dc=brainsware,dc=org"
>        userPattern="(uid={0})(postOfficeBox=internal_projects)"
>        startTLS="true"
>        authentication="EXTERNAL"
>        userSearch="(uid={0})" />
> 
> That is, if I'm reading the StartTLS tutorial, Realm configuration
> docs, and
> org.apache.catalina.realm.JNDIRealm.java code correctly . . .

Doing that gets us a step closer:

 INFO: Starting Servlet Engine: Apache Tomcat/6.0.0-dev
Aug 15, 2010 9:07:17 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 7 - 
SASL(-4): no mechanism available: ]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3023)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
        at javax.naming.InitialContext.init(InitialContext.java:240)
        at javax.naming.InitialContext.<init>(InitialContext.java:214)
        at 
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
        at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1981)
        at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2086)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
        at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Aug 15, 2010 9:07:17 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start: 
LifecycleException:  Exception opening directory server connection:  
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 7 - 
SASL(-4): no mechanism available: ]
        at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2088)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
        at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Aug 15, 2010 9:07:17 PM org.apache.catalina.startup.Catalina start


This, and wireshark:

r...@iris ~ # tshark  host 188.40.115.116 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 46674 > ldap [SYN] Seq=0 
Win=5840 Len=0 MSS=1460 TSV=1145805160 TSER=0 WS=7
  0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 46674 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=54357595 TSER=1145805160 WS=7
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 46674 > ldap [ACK] Seq=1 Ack=1 
Win=5888 Len=0 TSV=1145805161 TSER=54357595
  0.044000 188.40.115.116 -> 188.40.115.121 LDAP bindRequest(1) "<ROOT>" 
[Malformed Packet]
  0.044000 188.40.115.121 -> 188.40.115.116 TCP ldap > 46674 [ACK] Seq=1 Ack=27 
Win=5888 Len=0 TSV=54357606 TSER=1145805171
  0.044000 188.40.115.121 -> 188.40.115.116 LDAP bindResponse(1) 
authMethodNotSupported (SASL(-4): no mechanism available: ) 
  0.044000 188.40.115.116 -> 188.40.115.121 TCP 46674 > ldap [ACK] Seq=27 
Ack=49 Win=5888 Len=0 TSV=1145805171 TSER=54357606
  0.044000 188.40.115.116 -> 188.40.115.121 TCP 46674 > ldap [FIN, ACK] Seq=27 
Ack=49 Win=5888 Len=0 TSV=1145805171 TSER=54357606
  0.044000 188.40.115.121 -> 188.40.115.116 TCP ldap > 46674 [FIN, ACK] Seq=49 
Ack=28 Win=5888 Len=0 TSV=54357606 TSER=1145805171
  0.044000 188.40.115.116 -> 188.40.115.121 TCP 46674 > ldap [ACK] Seq=28 
Ack=50 Win=5888 Len=0 TSV=1145805171 TSER=54357606

Suggests that we're now really trying to do SASL Authentication.

I'll try the suggestions in his other Email, and see how far that gets me.

> Another approach to using Felix's code is to create a separate class, 
> put it in
> a jar, and then add that jar to $CATALINA_HOME/lib. You'll  have to
> add an
> MBeans descriptor as well. How to do all that is documented:
> 
> (Realm)
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Overview
> (MBeans)
> http://tomcat.apache.org/tomcat-6.0-doc/mbeans-descriptor-howto.html
> 
> That way you'll have a generic Tomcat instead of a patched version.

That sure would be a way, but I think it would be much cooler
if Tomcat where to support this official LDAP standard.
Even httpd does it:
http://httpd.apache.org/docs/current/mod/mod_ldap.html#usingssltls


> . . . just my two cents
> 
> /mde/
bye,
i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: [email protected]
URL: http://brainsware.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to