manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Require signature with LDAP
Date Sat, 26 Sep 2015 10:59:52 GMT
Hi Naveen,

I've created a branch, branches/CONNECTORS-1244, that has a significantly
modified LDAP authority in it.

This LDAP authority supports four different protocols: plain LDAP, LDAP
with ssl, LDAP with tls, and LDAP with both ssl and tls.  Please check out
the branch and exercise it in your environment.  If you use any of the new
protocols, you will also need to add appropriate x509 certificates to the
connection's trust store in order for them to not fail.

I'd like to integrate this back to trunk as soon as possible, so please let
me know how things are going, and also which protocol you wound up using.

Thanks,
Karl



On Wed, Sep 23, 2015 at 10:04 AM, Naveen.A.N <anaveen@searchblox.com> wrote:

> Okay, Lets try if it works it will be good :)
>
> On Wed, Sep 23, 2015 at 7:02 PM, Karl Wright <daddywri@gmail.com> wrote:
>
> > The SSL connection ability of Java's LDAP library is, sadly, rather
> > limited.  I will only be able to implement a "trust everything" version
> of
> > SSL because of its technical limitations.  That means that we basically
> > don't check for certificate validity in the LDAP connector, and assume
> all
> > certs are OK.
> >
> > For a client, that's usually fine, but I wanted to mention it in case
> that
> > was a blocker.
> >
> > Karl
> >
> >
> > On Wed, Sep 23, 2015 at 9:17 AM, Naveen.A.N <anaveen@searchblox.com>
> > wrote:
> >
> > > Hi Karl,
> > >
> > > I am not sure I can work on it now. I will make some test by end of
> this
> > > week and let you know.
> > >
> > > On Wed, Sep 23, 2015 at 4:08 PM, Karl Wright <daddywri@gmail.com>
> wrote:
> > >
> > > > It looks like this is what we'll need to do to allow for SSL
> > connections
> > > to
> > > > LDAP:
> > > >
> > > > http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
> > > >
> > > > Note that in MCF we do not permit the use of the default keystore, so
> > > we'd
> > > > have to override the socket as well with a custom keystore.  This
> > > requires
> > > > a connection keystore, plus UI additions to support adding
> certificates
> > > to
> > > > the connection keystore.  CONNECTORS-1244.
> > > >
> > > > I'm happy to work on this but I probably won't get very far until the
> > > > weekend.
> > > >
> > > > In the meantime, it would be great if you could confirm that you
> could
> > > > connect to your LDAP using the LDAP connector modified to specify an
> > SSL
> > > > connection, with appropriate certificates added to the default Java
> > > > keystore.
> > > >
> > > > Thanks,
> > > > Karl
> > > >
> > > >
> > > > On Wed, Sep 23, 2015 at 6:24 AM, Karl Wright <daddywri@gmail.com>
> > wrote:
> > > >
> > > > > I'm afraid all that the LDAP connector does is use the provided
> Java
> > > LDAP
> > > > > library to connect to LDAP.  You'll have to play around with it
> until
> > > you
> > > > > can get it to work.  Once you figure it out, I'd be happy to change
> > > > > whatever code is needed to help it work in your environment.
> > > > >
> > > > > I'd consider figuring out first of all how to turn on SSL/TLS,
> since
> > > that
> > > > > sounds like it could be the problem.
> > > > >
> > > > > Thanks,
> > > > > Karl
> > > > >
> > > > >
> > > > > On Wed, Sep 23, 2015 at 2:51 AM, Naveen.A.N <
> anaveen@searchblox.com>
> > > > > wrote:
> > > > >
> > > > >> Hi Karl,
> > > > >>
> > > > >> Yes I am using LDAP Authority Connection .
> > > > >> if I specify the port 636 it fails with Threw exception: 'Naming
> > > error:
> > > > >> domainname:636; socket closed'.
> > > > >>
> > > > >> On Wed, Sep 23, 2015 at 11:26 AM, Karl Wright <daddywri@gmail.com
> >
> > > > wrote:
> > > > >>
> > > > >> > Hi Naveen,
> > > > >> >
> > > > >> > Can you back up a bit, and start with what connector you
are
> > using?
> > > > Is
> > > > >> > this the LDAP authority?  If so, you can specify the port.
> > > > >> >
> > > > >> > Karl
> > > > >> >
> > > > >> >
> > > > >> > On Tue, Sep 22, 2015 at 10:27 PM, Naveen.A.N <
> > > anaveen@searchblox.com>
> > > > >> > wrote:
> > > > >> >
> > > > >> > > Hi,
> > > > >> > >
> > > > >> > > When i try to connect an LDAP server it gives me this
error
> > > > >> > >
> > > > >> > > *Threw exception: 'Naming error: [LDAP: error code
8 -
> 00002028:
> > > > >> LdapErr:
> > > > >> > > DSID-0C090202, comment: The server requires binds to
turn on
> > > > integrity
> > > > >> > > checking if SSL\TLS are not already active on the connection,
> > data
> > > > 0,
> > > > >> > > v2580&#0;]'*
> > > > >> > >
> > > > >> > > When i try to use the ldp.exe and try everything was
working
> > > fine. I
> > > > >> > found
> > > > >> > > that if a server uses Required signature in LDAP server
it
> cause
> > > > this
> > > > >> > > issue. Is there any way to fix this?
> > > > >> > >
> > > > >> > > Is there a way to query the secured port?
> > > > >> > > --
> > > > >> > > Thanks and Regards,
> > > > >> > > Naveen A.N
> > > > >> > >
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Thanks and Regards,
> > > > >> Naveen A.N
> > > > >> Lead Software Developer
> > > > >> SearchBlox Software, Inc.
> > > > >> www.searchblox.com
> > > > >> Ph: +91 9445389179
> > > > >>
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Thanks and Regards,
> > > Naveen A.N
> > > Lead Software Developer
> > > SearchBlox Software, Inc.
> > > www.searchblox.com
> > > Ph: +91 9445389179
> > >
> >
>
>
>
> --
> Thanks and Regards,
> Naveen A.N
> Lead Software Developer
> SearchBlox Software, Inc.
> www.searchblox.com
> Ph: +91 9445389179
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message