Bug #27
Connection on ldaps:// URI
| Status: | Closed | Start: | 21/01/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | Jonathan Clarke | % Done: | 100% |
|
| Category: | Core | |||
| Target version: | 1.1.0 | |||
| Problem in version: |
Description
Hello,
My target directory accept only secured connection, either with ldaps://, either with a startTLS control.
When using ldaps:// URI in dst.java.naming.provider.url, there is a java error :
javax.naming.CommunicationException: simple bind failed: localhost:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.interldap.lsc.jndi.JndiServices.<init>(JndiServices.java:101)
at org.interldap.lsc.jndi.JndiServices.getInstance(JndiServices.java:141)
at org.interldap.lsc.jndi.JndiServices.getDstInstance(JndiServices.java:127)
at org.interldap.lsc.jndi.SimpleJndiDstService.getJndiServices(SimpleJndiDstService.java:118)
at org.interldap.lsc.jndi.AbstractSimpleJndiService.get(AbstractSimpleJndiService.java:111)
at org.interldap.lsc.jndi.SimpleJndiDstService.getBean(SimpleJndiDstService.java:89)
at org.interldap.lsc.AbstractSynchronize.synchronizeLdap2Ldap(AbstractSynchronize.java:463)
at org.interldap.lsc.SimpleSynchronize.launchSyncTask(SimpleSynchronize.java:295)
at org.interldap.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:140)
at org.interldap.lsc.Launcher.run(Launcher.java:103)
at org.interldap.lsc.Launcher.main(Launcher.java:95)
Can we add a feature to support LDAPS and startTLS? Can this be added to 1.1 roadmap?
Associated revisions
Add support for STARTTLS extended operation. Use "dst.java.naming.tls=true" in lsc.properties to enable it. Fixes #27.
History
Updated by Jonathan Clarke over 1 year ago
- Category set to Core
Hi Clément,
Thanks for this. It seems there are two very different cases:
1) TLS support. According to http://java.sun.com/products/jndi/tutorial/ldap/ext/starttls.html, this requires modifying the code to perform an extended Ldap operation "StartTLS".
2) LDAPS (SSL) support. This requires no modification of the code.
However, in both cases the server's certificate must be trusted by the JVM. See http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html#CLIENT.
I agree that this should be made available for 1.1 release. It has been requested before, and is necessary for some update operations on AD, for example. We need to:
a) Implement the TLS code, with a preference.
b) Test and write doc about trusting certificates.
Clément, if you have time, could you try the keytool -import command recommended in the link above (with your LDAPS: URI)?
Updated by Clément Oudot over 1 year ago
Hi,
I've tested the keytool command and it works! I will try to add this in LSC wiki if I have time.
But I have a remark: I configure OpenLDAP with "security ssf=256" to disallow non secure connections. And this works for syncrepl and my ldap clients. But LSC (let's say java) connects with a 128 strenght, so I had to modify OpenLDAP with 'security ssf=128". Any idea why the security is lower with java?
Updated by Jonathan Clarke over 1 year ago
- Target version changed from 1.0 branch to 1.1.0
Updated by Sébastien Bahloul over 1 year ago
- Category changed from Core to Documentation
- Status changed from New to Assigned
- Assigned to set to Clément Oudot
Assigned to Clement.
Updated by Jonathan Clarke over 1 year ago
- Category changed from Documentation to Core
- Assigned to changed from Clément Oudot to Jonathan Clarke
This still needs work on the code - TLS is not yet implemented.
Updated by Jonathan Clarke over 1 year ago
- File tls-extended-operation.patch added
- Status changed from Assigned to Feedback
- % Done changed from 0 to 70
Hi,
I've written a patch for lsc-core HEAD that should allow using TLS on a plain LDAP connection. You just have to add this to your lsc.properties:
dst.java.naming.provider.tls = true
Can someone test this please?
Thanks,
Jonathan
Updated by Thomas Chemineau over 1 year ago
I tested it. Seems to work well, it sends correct extended operation :
0 [main] WARN org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:217) - Starting sync for ldap2adCreate
483 [main] ERROR org.lsc.jndi.JndiServices.<init>(JndiServices.java:146) - Error starting TLS encryption on connection to ldap://192.168.190.101:389/dc=brinks,dc=fr
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '192.168.190.101' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at org.lsc.jndi.JndiServices.<init>(JndiServices.java:144)
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:201)
at org.lsc.jndi.JndiServices.getSrcInstance(JndiServices.java:177)
at org.lsc.jndi.SimpleJndiSrcService.getListPivots(SimpleJndiSrcService.java:151)
at org.lsc.AbstractSynchronize.synchronize2Ldap(AbstractSynchronize.java:261)
at org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:266)
at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:172)
at org.lsc.Launcher.run(Launcher.java:125)
at org.lsc.Launcher.main(Launcher.java:111)
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416)
... 11 more
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '192.168.190.101' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at org.lsc.jndi.JndiServices.<init>(JndiServices.java:144)
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:201)
at org.lsc.jndi.JndiServices.getSrcInstance(JndiServices.java:177)
at org.lsc.jndi.SimpleJndiSrcService.getListPivots(SimpleJndiSrcService.java:151)
at org.lsc.AbstractSynchronize.synchronize2Ldap(AbstractSynchronize.java:261)
at org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:266)
at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:172)
at org.lsc.Launcher.run(Launcher.java:125)
at org.lsc.Launcher.main(Launcher.java:111)
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416)
... 11 more
Exception in thread "main" java.lang.ExceptionInInitializerError
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:206)
at org.lsc.jndi.JndiServices.getSrcInstance(JndiServices.java:177)
at org.lsc.jndi.SimpleJndiSrcService.getListPivots(SimpleJndiSrcService.java:151)
at org.lsc.AbstractSynchronize.synchronize2Ldap(AbstractSynchronize.java:261)
at org.lsc.SimpleSynchronize.launchTask(SimpleSynchronize.java:266)
at org.lsc.SimpleSynchronize.launch(SimpleSynchronize.java:172)
at org.lsc.Launcher.run(Launcher.java:125)
at org.lsc.Launcher.main(Launcher.java:111)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '192.168.190.101' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at org.lsc.jndi.JndiServices.<init>(JndiServices.java:144)
at org.lsc.jndi.JndiServices.getInstance(JndiServices.java:201)
... 7 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:416)
... 11 more
All configuration is OK: certificate into keystore, common name matches, correct value in lsc.properties (src.java.naming.tls = true).
When LSC tried to connect to the LDAP directory, I have this strange error (at the end) :
Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:08 localhost slapd[2448]: Apr 16 21:04:08 localhost slapd[2448]: slap_listener_activate(8): Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=8 busy Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: >>> slap_listener(ldap://*:389/) Apr 16 21:04:08 localhost slapd[2448]: daemon: listen=8, new connection on 18 Apr 16 21:04:08 localhost slapd[2448]: daemon: added 18r (active) listener=(nil) Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:08 localhost slapd[2448]: Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:08 localhost slapd[2448]: 18r Apr 16 21:04:08 localhost slapd[2448]: Apr 16 21:04:08 localhost slapd[2448]: daemon: read active on 18 Apr 16 21:04:08 localhost slapd[2448]: connection_get(18) Apr 16 21:04:08 localhost slapd[2448]: connection_get(18): got connid=9 Apr 16 21:04:08 localhost slapd[2448]: connection_read(18): checking for input on id=9 Apr 16 21:04:08 localhost slapd[2448]: conn=9 op=0 do_bind Apr 16 21:04:08 localhost slapd[2448]: >>> dnPrettyNormal: <cn=manager,dc=brinks,dc=fr> Apr 16 21:04:08 localhost slapd[2448]: <<< dnPrettyNormal: <cn=manager,dc=brinks,dc=fr>, <cn=manager,dc=brinks,dc=fr> Apr 16 21:04:08 localhost slapd[2448]: do_bind: version=3 dn="cn=manager,dc=brinks,dc=fr" method=128 Apr 16 21:04:08 localhost slapd[2448]: ==> bdb_bind: dn: cn=manager,dc=brinks,dc=fr Apr 16 21:04:08 localhost slapd[2448]: do_bind: v3 bind: "cn=manager,dc=brinks,dc=fr" to "cn=manager,dc=brinks,dc=fr" Apr 16 21:04:08 localhost slapd[2448]: send_ldap_result: conn=9 op=0 p=3 Apr 16 21:04:08 localhost slapd[2448]: send_ldap_result: err=0 matched="" text="" Apr 16 21:04:08 localhost slapd[2448]: send_ldap_response: msgid=1 tag=97 err=0 Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:08 localhost slapd[2448]: Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:08 localhost slapd[2448]: 18r Apr 16 21:04:08 localhost slapd[2448]: Apr 16 21:04:08 localhost slapd[2448]: daemon: read active on 18 Apr 16 21:04:08 localhost slapd[2448]: connection_get(18) Apr 16 21:04:08 localhost slapd[2448]: connection_get(18): got connid=9 Apr 16 21:04:08 localhost slapd[2448]: connection_read(18): checking for input on id=9 Apr 16 21:04:08 localhost slapd[2448]: conn=9 op=1 do_extended Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:08 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:08 localhost slapd[2448]: Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:08 localhost slapd[2448]: => get_ctrls Apr 16 21:04:08 localhost slapd[2448]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) Apr 16 21:04:08 localhost slapd[2448]: <= get_ctrls: n=1 rc=0 err="" Apr 16 21:04:08 localhost slapd[2448]: do_extended: oid=1.3.6.1.4.1.1466.20037 Apr 16 21:04:08 localhost slapd[2448]: send_ldap_extended: err=0 oid= len=0 Apr 16 21:04:08 localhost slapd[2448]: send_ldap_response: msgid=2 tag=120 err=0 Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: 18r Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: read active on 18 Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: connection_get(18) Apr 16 21:04:09 localhost slapd[2448]: connection_get(18): got connid=9 Apr 16 21:04:09 localhost slapd[2448]: connection_read(18): checking for input on id=9 Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: 18r Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: read active on 18 Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: connection_get(18) Apr 16 21:04:09 localhost slapd[2448]: connection_get(18): got connid=9 Apr 16 21:04:09 localhost slapd[2448]: connection_read(18): checking for input on id=9 Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: 18r Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: read active on 18 Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: connection_get(18) Apr 16 21:04:09 localhost slapd[2448]: connection_get(18): got connid=9 Apr 16 21:04:09 localhost slapd[2448]: connection_read(18): checking for input on id=9 Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on 1 descriptor Apr 16 21:04:09 localhost slapd[2448]: daemon: activity on: Apr 16 21:04:09 localhost slapd[2448]: 18r Apr 16 21:04:09 localhost slapd[2448]: Apr 16 21:04:09 localhost slapd[2448]: daemon: read active on 18 Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=7 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 16 21:04:09 localhost slapd[2448]: connection_get(18) Apr 16 21:04:09 localhost slapd[2448]: connection_get(18): got connid=9 Apr 16 21:04:09 localhost slapd[2448]: connection_read(18): checking for input on id=9 Apr 16 21:04:09 localhost slapd[2448]: connection_read(18): unable to get TLS client DN, error=49 id=9 [...]
The ldapsearch command works well with StartTLS operation.
Updated by Thomas Chemineau over 1 year ago
Well, it seems to work better when you use hostname (localhost) instead of IP address (in my case, 192.168.190.101), both in LDAP URL and into server certificate. Now, I have an other strange behaviour : I obtain anonymous rights on the LDAP directory after the TLS session opened. I do not know if this is due to JAVA code or LDAP server configuration. I will look for this tomorrow.
Apr 17 01:29:22 localhost slapd[2501]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:47135 (IP=0.0.0.0:389) Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128 Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0 Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=1 EXT oid=1.3.6.1.4.1.1466.20037 Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=1 STARTTLS Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=1 AUTHZ anonymous mech=starttls ssf=0 Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=1 RESULT oid= err=0 text= Apr 17 01:29:22 localhost slapd[2501]: conn=0 fd=15 TLS established tls_ssf=128 ssf=128 Apr 17 01:29:22 localhost slapd[2501]: conn=0 op=2 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
Updated by Thomas Chemineau over 1 year ago
Found that LSC bind with its LDAP account, then executes the StartTLS extended operation. It should not bind before executing StartTLS operation, because it may lost its rights (and it seems to be).
Updated by Jonathan Clarke over 1 year ago
- Status changed from Feedback to Closed
Closing this bug:
- LDAPS just works
- TLS is now implemented and tested
For both, certificates need to be added to the JVM - see http://lsc-project.org/wiki/documentation/howtos/ssltls.
Please note that to enable TLS, the property is "[src|dst].java.naming.tls=true", NOT what I wrote in a previous comment. Sorry for the confusion.