tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: JNDI: LDAPv3 with StartTLS
Date Wed, 18 Aug 2010 11:50:38 GMT
On Tue, 17 Aug 2010 21:30:56 +0000 (UTC), Igor Galić
<i.galic@brainsware.org> wrote:
>> That looks right. I believe I have found one issue with my code. It
>> will
>> get a InitialDirContext with your admin user and password, before it
>> is
>> negotiating TLS. I have attached another ContextFactory, which will
>> remove admin user, password and authentication method prior to TLS
>> negotiation. After (hopefully) establishing TLS it adds those
>> parameters
>> back in. As with the last factory, you should select a package name
>> of
>> your liking. 
> 
> Done, now the startup looks all fine in the log -- but tshark speaks a
> different language:
> 
> root@iris ~ # tshark  host 188.40.115.116 
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth0
>   0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [SYN] Seq=0
...
>   0.488000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK]
Seq=727
>   Ack=1914 Win=11648 Len=0 TSV=1189177866 TSER=97730562
> 
> This means: We are (disturbingly) sending an SSLv2 Hello, we get an
TLSv1
> reply, and now
> we're happy... Or so I blindly guess from the fact that no error or
> warning are logged..
> I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK,
> PS/ACK.
Don't know if this is a problem, but I don't think so. You could start
tomcat with -Djavax.net.debug=ssl to see what java thinks about the ssl/tls
handshake.

> 
> Anyway, then I try to login, and that's when this happens in the log:
> 
> SEVERE: An exception or error occurred in the container during the
request
> processing
> java.lang.reflect.UndeclaredThrowableException
>         at $Proxy0.getAttributes(Unknown Source)
>         at
>        
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
>         at
>        
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1217)
>         at
>        
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269)
This means, that you specified userPattern='...' in your realm
configuration. And you since your pattern looks like
'(uid={0})(...)' it is probably wrong. You have specified
userSearch='uid={0}', too. So I believe you want to read the fine
documentation http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
especially about JNDIRealm and settle using userSearch.

As a side note. I have installed the community version of zimbra and the
default installation seems to be usable without tls at all. It has disabled
simple bind however.

Bye
 Felix

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message