Re: JNDI: LDAPv3 with StartTLS

Tue, 17 Aug 2010 07:31:58 -0700 

> Either use the LdapTlsContextFactory, or the patched tomcat. Not both.
> I
> would advise to use the factory, since you can use a supported
> tomcat.

ACK. Done that. In a vanilla Tomcat, I've put your LdapTlsContextFactory in
jar in lib/ with a config such as this:


                <Realm className="org.apache.catalina.realm.JNDIRealm"
                        connectionURL="ldap://mail.brainsware.org:389";
                        alternateURL="ldap://mail.esotericsystems.at:389";
                        commonRole="admin" connectionName="uid=whatever" 
connectionPassword="securityisgreat."
                        userBase="ou=people,dc=brainsware,dc=org" 
userPattern="(uid={0})(postOfficeBox=internal_projects)"
                        contextFactory="tc.startTLS.LdapTlsContextFactory"
                        userSearch="uid={0}" />

On startup I see this:

INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
Aug 17, 2010 9:33:47 AM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - 
confidentiality required]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at 
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at 
tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.<init>(LdapTlsContextFactory.java:31)
        at 
tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.<init>(LdapTlsContextFactory.java:25)
        at 
tc.startTLS.LdapTlsContextFactory.getInitialContext(LdapTlsContextFactory.java:96)
        at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.InitialContext.<init>(InitialContext.java:197)
        at 
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
        at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1954)
        at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2045)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
        at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:519)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)


But the interesting thing is, that I see this here on login attempt (it's 
actually the
first time I've tried that in a long time now... so I don't know what the other 
cases would
have brought us):

SEVERE: An exception or error occurred in the container during the request 
processing
java.lang.reflect.UndeclaredThrowableException
        at $Proxy0.getAttributes(Unknown Source)
        at 
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
        at 
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1217)
        at 
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269)
        at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1186)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1058)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:947)
        at 
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at 
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.invoke(LdapTlsContextFactory.java:54)
        ... 17 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such 
Object]; remaining name 'uid=i.galic'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
        at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
        at 
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
        ... 22 more


 
> I had attached a second java class to my last mail, which you can use
> to
> test the connection to your ldap server without tomcat. You may have
> to
> specify a java keystore with your trusted certs. You can do this by
> specifying the java env variable
> -Djavax.net.ssl.trustStore=PATH_TO_MY/truststore.jks. If you want to
> learn
> more about the tls steps, you can specify  -Djavax.net.debug=ssl.

I haven't managed to get the TlsTest.java to compile.
 
> > The wireshark trace still looks the same.
Yep, still does.

i
-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: [email protected]
URL: http://brainsware.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to