db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anders Morken (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-1000) For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
Date Fri, 30 Jun 2006 21:46:31 GMT
    [ http://issues.apache.org/jira/browse/DERBY-1000?page=comments#action_12418713 ] 

Anders Morken commented on DERBY-1000:

Now that DERBY-1174 is resolved the patches attached to this issue is technically all you
need to let Derby use SSL-enabled LDAP connections to a LDAP directory. While I've tested
this manually I haven't written a regression test for it. You need a lot of manual preparation
to test this - most notably an SSL-enabled LDAP server to query and bind against, and you
need the LDAP server's SSL certificate (or the CA certificate that signed the LDAP server's
cert) in your java installation's trusted certificate store. See http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
for more details.
The fact that you need to import the ldap server's cert should probably be mentioned in the
docs as well. Is the above URL "stable" enough for us to refer to in Derby documentation?

> For LDAP authentication: derby.authentication.server should support ldaps:// as part
of the server url.
> -------------------------------------------------------------------------------------------------------
>          Key: DERBY-1000
>          URL: http://issues.apache.org/jira/browse/DERBY-1000
>      Project: Derby
>         Type: Bug

>   Components: Newcomer, Security
>     Versions:,,,,,,,,
>  Environment: all
>     Reporter: Sunitha Kambhampati
>     Assignee: Anders Morken
>     Priority: Trivial
>  Attachments: DERBY-1000.patch, DERBY1000-docs.patch
> derby.authentication.server does not recognize secure ldap url - ie if  the url starts
with ldaps:// 
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server
is set, then the ldapServer is either of the format //server:port  or it already starts with
ldap://  else it just adds ldap://  .
> Thus for a ldaps://xyz.com:636  url , it will become ldap://ldaps://xyz.com:636
in the code snippet, dflLDAPURL is ldap://
> 				if (ldapServer.startsWith(dfltLDAPURL))
> 					this.providerURL = ldapServer;
> 				else if (ldapServer.startsWith("//"))
> 					this.providerURL = "ldap:" + ldapServer;
> 				else
> 					this.providerURL = dfltLDAPURL + ldapServer;
> 			}
> 			initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps://  in the derby.authentication.server.
Add condition to support the ldaps:// 
> ie. 
> 			if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> 					this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.  

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message