directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Michael.Schm...@t-systems.com>
Subject AW: LdapNetworkConnection using SSL
Date Wed, 27 Feb 2013 13:39:28 GMT
Hello Emmanuel,

thank you very much for your answer. The key advice is to use a TrustManager instead of a
KeyManager. After replacing the KeyManager with a TrustManager my program works.

So my problem is solved.

Regards
Michael Schmitz

-----Ursprüngliche Nachricht-----
Von: Emmanuel Lécharny [mailto:elecharny@gmail.com] 
Gesendet: Mittwoch, 27. Februar 2013 14:05
An: api@directory.apache.org
Betreff: Re: LdapNetworkConnection using SSL

You should not use SSL, but startTLS.

Using SSL in LDPA has been deprecated. Not that it does not work, but it's not the way to
secure your connection to the server, as it requires a second port.

Doing something like :

            LdapConnectionConfig tlsConfig = new LdapConnectionConfig();
            tlsConfig.setLdapHost( ... );
            tlsConfig.setLdapPort( ... );
            tlsConfig.setTrustManagers( <your TrustManager> );


            connection = new LdapNetworkConnection( tlsConfig );
            connection.connect();
            connection.startTls();
            connection.bind( ... );

is the correct way to connect to a LDAP server.


Le 2/27/13 1:38 PM, Michael.Schmitz@t-systems.com a écrit :
> Hello,
>
> I am currently working with version M12 of the Apache LDAP API (this was the latest version
when I began to develop). The connection to the LDAP server is established without SSL, and
it works fine.
>
> Due to security reasons we want to change the connection to SSL. So I created a keystore
file .keystore which includes the same certificate which I am using with the Apache Directory
Studio Client to connect to the LDAP server via SSL. In the Apache Directory Studio Client,
the certificate works without problems. Trying to connect with the LDAP API results in InvalidConnectionException
at the connection.bind statement.
>
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException: SSL handshake
failed.
> at 
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeReques
> t(LdapNetworkConnection.java:3808)
> at 
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(L
> dapNetworkConnection.java:1170) at 
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNe
> tworkConnection.java:1075) at 
> org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(Abstr
> actLdapConnection.java:120) at 
> org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(Abstr
> actLdapConnection.java:105)
> at TestSSL.main(TestSSL.java:50)
>
> Here the code to connect to the LDAP server with the LDAP API:
>
>   boolean useSSL = true;
>   LdapNetworkConnection connection = null;
>   LdapConnectionConfig ldapConnectionConfig = null;
>   if (useSSL) {
>       ldapConnectionConfig = new LdapConnectionConfig();
>       ldapConnectionConfig.setUseSsl(true);
>       ldapConnectionConfig.setLdapHost(<host>);
>       ldapConnectionConfig.setLdapPort(<port>);
>       ldapConnectionConfig.setSslProtocol("SSLv3");
>       char[] pw = null;
>       KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
>       try {
>           FileInputStream fis = new FileInputStream(".keystore");
>           pw = new String("<password>").toCharArray();
>           ks.load(fis, pw);
>       }
>       catch (Exception e) {
>           e.printStackTrace();
>       }
>       KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
>       keyManagerFactory.init(ks, pw);
>       KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
>       ldapConnectionConfig.setKeyManagers(keyManagers);
>       connection = new LdapNetworkConnection(ldapConnectionConfig);
>   }
>   else {
>       connection = new LdapNetworkConnection(<host>, <port>);
>   }
>   try {
>       connection.bind(<bind string>, <password>);
>             ...
> With useSSL=false the program works right.
>
> Does anyone have an idea what is missing? Could you provide me an example which is working?
>
> Thank you very much.
>
> Regards
> Michael Schmitz
>
> T-Systems International GmbH
> Systems Integration
> GDC Big Data & BI SC BI & CRM
> Michael Schmitz
> Senior Consultant
> Hausadresse: Fasanenweg 5, 70771 Leinfelden-Echterdingen
> Postanschrift: Postfach 100258, 70746 Leinfelden
> Neu: Telefon: +49 (711) 999 - 7717
> Mobil: +49 (170) 863 1918
> E-Mail: Michael.Schmitz@T-Systems.com
> Internet: <http://www.t-systems.com<http://www.t-systems.com/>>
> T-Systems 
> International<https://systemsnet.telekom.de/tool/de_systemswiki/index.
> php/Enterprise_Services> GmbH
> Aufsichtsrat<https://systemsnet.telekom.de/tool/de_systemswiki/index.p
> hp/Aufsichtsrat>: René Obermann (Vorsitzender)
> Geschäftsführung: Reinhard Clemens (Vorsitzender), Dr. Ferri 
> Abolhassan, Dr. Markus Müller, Georg Pepping, Hagen Rickmann, Klaus 
> Werner
> Handelsregister: Amtsgericht Frankfurt am Main HRB 55933 Sitz der 
> Gesellschaft: Frankfurt am Main WEEE-Reg.-Nr. DE50335567
>
> Notice: This transmittal and/or attachments may be privileged or confidential. If you
are not the intended recipient, you are hereby notified that you have received this transmittal
in error; any review, dissemination, or copying is strictly prohibited. If you received this
transmittal in error, please notify us immediately by reply and immediately delete this message
and all its attachments. Thank you.
>
>
>


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message