tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "JNDI_startTLs_HowTo" by jmcg
Date Thu, 19 Aug 2010 21:59:15 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "JNDI_startTLs_HowTo" page has been changed by jmcg.
http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo

--------------------------------------------------

New page:
In reference to: http://www.mail-archive.com/users@tomcat.apache.org/msg80660.html this Howto
describes the configuration of a JNDI Realm connecting to an LDAP directory using StartTLS
for connection establishment.

StartTLS is the method of negotiating a TLS connection. For LDAP it was first time in RFC
2830, then refined in RFC 4513.

Tomcat does not support this out of the box. Using JNDI Realm's `contextFactory` feature however,
we can still achieve this:

{{{
<Realm className="org.apache.catalina.realm.JNDIRealm"
     connectionURL="ldap://primary.ldap.dir:389"
     alternateURL="ldap://secondary.ldap.dir:389"
     connectionName="uid=binddn" connectionPassword="password."
     userBase="ou=people,dc=brainsware,dc=org" userSearch="uid={0}"
     contextFactory="tc.startTLS.LdapTlsContextFactory />
}}}

Using the code provided by Felix Schumann in this post: http://www.mail-archive.com/users@tomcat.apache.org/msg80693.html
We have to compile it into a JAR and put in a place where Tomcat can find it: `lib`. Then
we simply reference its full name in `contextFactory`. `LdapTlsContextFactory` will now do
the negotiation initialization. Afterwards the created object will be used for every authentication
attempt.

== Further Steps ==
The code probably needs auditing. More testing. And definitely more tightening: e.g.: When
starting the negotiation the client (Tomcat + `LdapTlsContextFactory`) sends an `SSLv2Hello`,
which is anything but desirable. This could be due to Sun’s poor defaults in their SSL implementation,
an oversight in the code, or because I’ve missed out a JVM startup options.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message