Re: JNDI: LDAPv3 with StartTLS

Tue, 17 Aug 2010 14:31:31 -0700 


> That looks right. I believe I have found one issue with my code. It
> will
> get a InitialDirContext with your admin user and password, before it
> is
> negotiating TLS. I have attached another ContextFactory, which will
> remove admin user, password and authentication method prior to TLS
> negotiation. After (hopefully) establishing TLS it adds those
> parameters
> back in. As with the last factory, you should select a package name
> of
> your liking. 

Done, now the startup looks all fine in the log -- but tshark speaks a
different language:

r...@iris ~ # tshark  host 188.40.115.116 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [SYN] Seq=0 
Win=5840 Len=0 MSS=1460 TSV=1189177744 TSER=0 WS=7
  0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [SYN, ACK] Seq=0 
Ack=1 Win=5792 Len=0 MSS=1460 TSV=97730450 TSER=1189177744 WS=7
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=1 Ack=1 
Win=5888 Len=0 TSV=1189177744 TSER=97730450
  0.004000 188.40.115.116 -> 188.40.115.121 LDAP extendedReq(1) 
LDAP_START_TLS_OID 
  0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1 Ack=61 
Win=5888 Len=0 TSV=97730451 TSER=1189177745
  0.008000 188.40.115.121 -> 188.40.115.116 LDAP extendedResp(1) 
[LDAP_START_TLS_OID responseName missing] 
  0.008000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=61 
Ack=15 Win=5888 Len=0 TSV=1189177746 TSER=97730452
  0.384000 188.40.115.116 -> 188.40.115.121 SSLv2 Client Hello
  0.384000 188.40.115.121 -> 188.40.115.116 TLSv1 Server Hello, [Unreassembled 
Packet [incorrect TCP checksum]] 
  0.384000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] 
Seq=1463 Ack=161 Win=5888 [TCP CHECKSUM INCORRECT] Len=408 TSV=97730546 
TSER=1189177839
  0.384000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=161 
Ack=1463 Win=8832 Len=0 TSV=1189177839 TSER=97730546
  0.384000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=161 
Ack=1871 Win=11648 Len=0 TSV=1189177839 TSER=97730546
  0.408000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=161 
Ack=1871 Win=11648 Len=523 TSV=1189177846 TSER=97730546
  0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1871 
Ack=684 Win=6912 Len=0 TSV=97730562 TSER=1189177846
  0.448000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=684 
Ack=1871 Win=11648 Len=43 TSV=1189177856 TSER=97730562
  0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1871 
Ack=727 Win=6912 Len=0 TSV=97730562 TSER=1189177856
  0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] 
Seq=1871 Ack=727 Win=6912 [TCP CHECKSUM INCORRECT] Len=43 TSV=97730562 
TSER=1189177856
  0.488000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=727 
Ack=1914 Win=11648 Len=0 TSV=1189177866 TSER=97730562

This means: We are (disturbingly) sending an SSLv2 Hello, we get an TLSv1 
reply, and now
we're happy... Or so I blindly guess from the fact that no error or warning are 
logged..
I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK, PS/ACK.

Anyway, then I try to login, and that's when this happens in the log:

SEVERE: An exception or error occurred in the container during the request 
processing
java.lang.reflect.UndeclaredThrowableException
        at $Proxy0.getAttributes(Unknown Source)
        at 
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
        at 
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1217)
        at 
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269)
        at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1186)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1058)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:947)
        at 
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at 
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.invoke(LdapTlsContextFactory.java:73)
        ... 17 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such 
Object]; remaining name 'uid=i.galic'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
        at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
        at 
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
        ... 22 more

The corresponding tshark trace looks like this:
     
 63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=727 
Ack=1914 Win=11648 Len=74 TSV=1189193646 TSER=97730562
 63.591308 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] 
Seq=1914 Ack=801 Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352 
TSER=1189193646
 63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=801 
Ack=1949 Win=11648 Len=0 TSV=1189193646 TSER=97746352
 63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=801 
Ack=1949 Win=11648 Len=105 TSV=1189193646 TSER=97746352
 63.591308 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] 
Seq=1949 Ack=906 Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352 
TSER=1189193646
 63.635308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=906 
Ack=1984 Win=11648 Len=0 TSV=1189193657 TSER=97746352




> > I haven't managed to get the TlsTest.java to compile.
> Why? 

Because I fail at Java.

Anyway, sorry for the late reply but hell was breaking out at work. YAY 
Operations \o/
I hope you didn't have your hopes up too high for this to work (as I did ;)

> Bye
>  Felix

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: [email protected]
URL: http://brainsware.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to