tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: JNDI: LDAPv3 with StartTLS
Date Sun, 15 Aug 2010 15:37:44 GMT
Hi Igor,

On 15.08.2010 16:14, Igor Galić wrote:
>
> Hi folks,
>
> I'm running Hudson in Tomcat 6.0.29 on Debian/Squeeze/amd64 with
>
> i.galic@pheme /opt/tomcat6 % java -version
> java version "1.6.0_18"
> OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-1)
> OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode)
>
> I'm starting the server with:
> CATALINA_OPTS-"-Djava.awt.headless=true -Djavax.net.debug=ssl:handshake -DHUDSON_HOME=${CATALINA_HOME}/webapps/hudson
-Xmx512m"
>
> In server.xml's Engine context there is a single JNDI Realm configured:
>
>          <Engine name="Catalina" defaultHost="localhost">
>
>                  <Realm className="org.apache.catalina.realm.JNDIRealm"
>                          connectionURL="ldap://mail.brainsware.org:389/"
>                          alternateURL="ldap://mail.esotericsystems.at:389"
>                          commonRole="admin" connectionName="uid=whatever" connectionPassword="securityisgreat."
>                          userBase="ou=people,dc=brainsware,dc=org" userPattern="(uid={0})(postOfficeBox=internal_projects)"
>                          userSearch="(uid={0})" />
>
> The LDAP server I'm connecting to is Zimbra (OpenLDAP), and requires StartTLS. It has
a valid Certificate, signed by Go Daddy.
> I've made sure that all parts of Go Daddy's chain are in the JVM's cacerts.
>
> When starting the server, I see this in the log:
>
> INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
> Aug 15, 2010 2:04:18 PM org.apache.catalina.realm.JNDIRealm open
> WARNING: Exception performing authentication
> javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality
required]
>          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3023)
>          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
>          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
>          at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
>          at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
>          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
>          at javax.naming.InitialContext.init(InitialContext.java:240)
>          at javax.naming.InitialContext.<init>(InitialContext.java:214)
>          at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
>          at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1954)
>          at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2045)
>          at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
>          at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
>          at org.apache.catalina.core.StandardService.start(StandardService.java:519)
>          at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>          at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:616)
>          at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>
>
> I've traced the operation with wireshark only to find it's not even trying to do any
kind of SASL negotiation.
> That seems weird, since:
> http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-com.sun/jndi/com/sun/jndi/ldap/LdapClient.java.htm
> suggests it should be doing that by default.
>
> I'm out ideas now. and welcome any advise you can offer.
>
> So long o/~

Never used it, but wouldn't you configure "ldaps://" URLs instead of 
"ldap://" URLs? And maybe also using Port 636 instead of 389 (or 
removing the port to use it as the default port).

No idea about SASL though.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message