tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <>
Subject Re: JNDI: LDAPv3 with StartTLS
Date Wed, 18 Aug 2010 11:50:38 GMT
On Tue, 17 Aug 2010 21:30:56 +0000 (UTC), Igor Galić
<> wrote:
>> That looks right. I believe I have found one issue with my code. It
>> will
>> get a InitialDirContext with your admin user and password, before it
>> is
>> negotiating TLS. I have attached another ContextFactory, which will
>> remove admin user, password and authentication method prior to TLS
>> negotiation. After (hopefully) establishing TLS it adds those
>> parameters
>> back in. As with the last factory, you should select a package name
>> of
>> your liking. 
> Done, now the startup looks all fine in the log -- but tshark speaks a
> different language:
> root@iris ~ # tshark  host 
> Running as user "root" and group "root". This could be dangerous.
> Capturing on eth0
>   0.000000 -> TCP 42460 > ldap [SYN] Seq=0
>   0.488000 -> TCP 42460 > ldap [ACK]
>   Ack=1914 Win=11648 Len=0 TSV=1189177866 TSER=97730562
> This means: We are (disturbingly) sending an SSLv2 Hello, we get an
> reply, and now
> we're happy... Or so I blindly guess from the fact that no error or
> warning are logged..
> I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK,
Don't know if this is a problem, but I don't think so. You could start
tomcat with to see what java thinks about the ssl/tls

> Anyway, then I try to login, and that's when this happens in the log:
> SEVERE: An exception or error occurred in the container during the
> processing
> java.lang.reflect.UndeclaredThrowableException
>         at $Proxy0.getAttributes(Unknown Source)
>         at
>         at
>         at
This means, that you specified userPattern='...' in your realm
configuration. And you since your pattern looks like
'(uid={0})(...)' it is probably wrong. You have specified
userSearch='uid={0}', too. So I believe you want to read the fine
especially about JNDIRealm and settle using userSearch.

As a side note. I have installed the community version of zimbra and the
default installation seems to be usable without tls at all. It has disabled
simple bind however.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message