directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRAPI-227) Bind user dn and password sent in clear after receiving PROTOCOL_ERROR during ldaps connection
Date Mon, 19 Sep 2016 12:01:21 GMT

    [ https://issues.apache.org/jira/browse/DIRAPI-227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15503210#comment-15503210
] 

Emmanuel Lecharny commented on DIRAPI-227:
------------------------------------------

Ok, it seems that when the SSL Handshake fails, the session is not deleted, then every message
being sent is in clear. This is a bug in MINA (DIRMINA-1044) that should be fixed in the next
version.

As soon as we have a MINA release, we will use it in the LDAP API.

> Bind user dn and password sent in clear after receiving PROTOCOL_ERROR during ldaps connection
> ----------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-227
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-227
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0-M28
>            Reporter: Scott Tustison
>
> I was attempting to use M28 and was having issues getting LDAPS to work (startTLS appeared
to work just fine). After several repeated bind and unbind operations, the LDAPS connection
would eventually fail with a PROTOCOL_ERROR and never bind again. However, when it was attempting
to bind after receiving that error, it would then send the bind user and password in the clear.
This was confirmed by looking in the LDAP server logs and also by Wireshark.
> I ran with debug turned on and this is what it receives during a failure (which is after
a long string of successes, by the way). I omitted my project's code from the trace for clarity:
> 14:53:55,447 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 1028
| ts-ldapclaimshandler | Bind request
> 14:53:55,450 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 1270
| ts-ldapclaimshandler | Sending request 
> MessageType : BIND_REQUEST
> Message ID : 1
>     BindRequest
>         Version : '3'
>         Name : 'cn=admin'
>         Simple authentication : '(omitted-for-safety)'
> 14:53:55,450 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection  280
| ts-ldapclaimshandler | Adding <1, org.apache.directory.ldap.client.api.future.BindFuture>
> 14:53:55,654 | DEBUG | NioProcessor-3   | .ldap.client.api.LdapNetworkConnection$1  660
| ts-ldapclaimshandler | received a NoD, closing everything
> 14:53:55,654 | DEBUG | NioProcessor-3   | .ldap.client.api.LdapNetworkConnection$1  665
| ts-ldapclaimshandler | closing BindFuture[msgId : 1, size : 0, Canceled :false]
> 14:53:55,656 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 1201
| ts-ldapclaimshandler | Bind failed : MessageType : BIND_RESPONSE
> Message ID : -1
>     BindResponse
>         Ldap Result
>             Result code : (PROTOCOL_ERROR) protocolError
>             Matched Dn : 'null'
>             Diagnostic message : 'PROTOCOL_ERROR: The server will disconnect!'
> 14:53:55,656 | ERROR | tp1920834220-484 | rity.sts.claimsHandler.RoleClaimsHandler  238
| ts-ldapclaimshandler | Unable to set role claims.
> org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: PROTOCOL_ERROR:
The server will disconnect!
> 	at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2163)
> 	at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1035)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message