db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anders Morken (JIRA)" <derby-...@db.apache.org>
Subject [jira] Updated: (DERBY-1000) For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
Date Sun, 02 Apr 2006 12:41:53 GMT
     [ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]

Anders Morken updated DERBY-1000:

    Attachment: DERBY-1000.patch

DERBY-1000.patch: This little one-line change is all it takes to make derby authenticate against
a ldap server over SSL for me. (In addition to the necessary setup of the LDAP server, the
self-signed certificate and telling the java SSL certificate verifier to trust it, of course.
And the change in DERBY-1174 which I needed for LDAP authentication to work at all for me.)

This change didn't seem to cause any problems in derbyall - sysinfo and sysinfo_withproperties
failed due to my locale,  the forupdate test fails in the tinderbox test of 390705 as well,
and one failure of CompatibilityTest in the initial derbyall run went away when I ran the
derbynetclientmats suite without a network server already started.

As for documentation issues, I agree that the docs could use a bit of polishing when it comes
to LDAP authentication. I'll see if I can figure out how to update them. =)

> For LDAP authentication: derby.authentication.server should support ldaps:// as part
of the server url.
> -------------------------------------------------------------------------------------------------------
>          Key: DERBY-1000
>          URL: http://issues.apache.org/jira/browse/DERBY-1000
>      Project: Derby
>         Type: Bug

>   Components: Newcomer, Security
>     Versions:,,,,,,,,
>  Environment: all
>     Reporter: Sunitha Kambhampati
>     Priority: Trivial
>  Attachments: DERBY-1000.patch
> derby.authentication.server does not recognize secure ldap url - ie if  the url starts
with ldaps:// 
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server
is set, then the ldapServer is either of the format //server:port  or it already starts with
ldap://  else it just adds ldap://  .
> Thus for a ldaps://xyz.com:636  url , it will become ldap://ldaps://xyz.com:636
in the code snippet, dflLDAPURL is ldap://
> 				if (ldapServer.startsWith(dfltLDAPURL))
> 					this.providerURL = ldapServer;
> 				else if (ldapServer.startsWith("//"))
> 					this.providerURL = "ldap:" + ldapServer;
> 				else
> 					this.providerURL = dfltLDAPURL + ldapServer;
> 			}
> 			initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps://  in the derby.authentication.server.
Add condition to support the ldaps:// 
> ie. 
> 			if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> 					this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.  

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message