On Tue, 17 Aug 2010 21:30:56 +0000 (UTC), Igor Galić <i.ga...@brainsware.org> wrote: >> That looks right. I believe I have found one issue with my code. It >> will >> get a InitialDirContext with your admin user and password, before it >> is >> negotiating TLS. I have attached another ContextFactory, which will >> remove admin user, password and authentication method prior to TLS >> negotiation. After (hopefully) establishing TLS it adds those >> parameters >> back in. As with the last factory, you should select a package name >> of >> your liking. > > Done, now the startup looks all fine in the log -- but tshark speaks a > different language: > > r...@iris ~ # tshark host 188.40.115.116 > Running as user "root" and group "root". This could be dangerous. > Capturing on eth0 > 0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [SYN] Seq=0 ... > 0.488000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=727 > Ack=1914 Win=11648 Len=0 TSV=1189177866 TSER=97730562 > > This means: We are (disturbingly) sending an SSLv2 Hello, we get an TLSv1 > reply, and now > we're happy... Or so I blindly guess from the fact that no error or > warning are logged.. > I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK, > PS/ACK. Don't know if this is a problem, but I don't think so. You could start tomcat with -Djavax.net.debug=ssl to see what java thinks about the ssl/tls handshake.
> > Anyway, then I try to login, and that's when this happens in the log: > > SEVERE: An exception or error occurred in the container during the request > processing > java.lang.reflect.UndeclaredThrowableException > at $Proxy0.getAttributes(Unknown Source) > at > javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123) > at > org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1217) > at > org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269) This means, that you specified userPattern='...' in your realm configuration. And you since your pattern looks like '(uid={0})(...)' it is probably wrong. You have specified userSearch='uid={0}', too. So I believe you want to read the fine documentation http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html especially about JNDIRealm and settle using userSearch. As a side note. I have installed the community version of zimbra and the default installation seems to be usable without tls at all. It has disabled simple bind however. Bye Felix --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org