tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <>
Subject Re: JNDI: LDAPv3 with StartTLS
Date Tue, 17 Aug 2010 21:30:56 GMT

> That looks right. I believe I have found one issue with my code. It
> will
> get a InitialDirContext with your admin user and password, before it
> is
> negotiating TLS. I have attached another ContextFactory, which will
> remove admin user, password and authentication method prior to TLS
> negotiation. After (hopefully) establishing TLS it adds those
> parameters
> back in. As with the last factory, you should select a package name
> of
> your liking. 

Done, now the startup looks all fine in the log -- but tshark speaks a
different language:

root@iris ~ # tshark  host 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 -> TCP 42460 > ldap [SYN] Seq=0 Win=5840 Len=0
MSS=1460 TSV=1189177744 TSER=0 WS=7
  0.000000 -> TCP ldap > 42460 [SYN, ACK] Seq=0 Ack=1
Win=5792 Len=0 MSS=1460 TSV=97730450 TSER=1189177744 WS=7
  0.000000 -> TCP 42460 > ldap [ACK] Seq=1 Ack=1 Win=5888
Len=0 TSV=1189177744 TSER=97730450
  0.004000 -> LDAP extendedReq(1) LDAP_START_TLS_OID 
  0.004000 -> TCP ldap > 42460 [ACK] Seq=1 Ack=61 Win=5888
Len=0 TSV=97730451 TSER=1189177745
  0.008000 -> LDAP extendedResp(1) [LDAP_START_TLS_OID responseName
  0.008000 -> TCP 42460 > ldap [ACK] Seq=61 Ack=15 Win=5888
Len=0 TSV=1189177746 TSER=97730452
  0.384000 -> SSLv2 Client Hello
  0.384000 -> TLSv1 Server Hello, [Unreassembled Packet [incorrect
TCP checksum]] 
  0.384000 -> TCP ldap > 42460 [PSH, ACK] Seq=1463 Ack=161
Win=5888 [TCP CHECKSUM INCORRECT] Len=408 TSV=97730546 TSER=1189177839
  0.384000 -> TCP 42460 > ldap [ACK] Seq=161 Ack=1463
Win=8832 Len=0 TSV=1189177839 TSER=97730546
  0.384000 -> TCP 42460 > ldap [ACK] Seq=161 Ack=1871
Win=11648 Len=0 TSV=1189177839 TSER=97730546
  0.408000 -> TCP 42460 > ldap [PSH, ACK] Seq=161 Ack=1871
Win=11648 Len=523 TSV=1189177846 TSER=97730546
  0.448000 -> TCP ldap > 42460 [ACK] Seq=1871 Ack=684
Win=6912 Len=0 TSV=97730562 TSER=1189177846
  0.448000 -> TCP 42460 > ldap [PSH, ACK] Seq=684 Ack=1871
Win=11648 Len=43 TSV=1189177856 TSER=97730562
  0.448000 -> TCP ldap > 42460 [ACK] Seq=1871 Ack=727
Win=6912 Len=0 TSV=97730562 TSER=1189177856
  0.448000 -> TCP ldap > 42460 [PSH, ACK] Seq=1871 Ack=727
Win=6912 [TCP CHECKSUM INCORRECT] Len=43 TSV=97730562 TSER=1189177856
  0.488000 -> TCP 42460 > ldap [ACK] Seq=727 Ack=1914
Win=11648 Len=0 TSV=1189177866 TSER=97730562

This means: We are (disturbingly) sending an SSLv2 Hello, we get an TLSv1 reply, and now
we're happy... Or so I blindly guess from the fact that no error or warning are logged..
I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK, PS/ACK.

Anyway, then I try to login, and that's when this happens in the log:

SEVERE: An exception or error occurred in the container during the request processing
        at $Proxy0.getAttributes(Unknown Source)
        at org.apache.catalina.realm.JNDIRealm.getUserByPattern(
        at org.apache.catalina.realm.JNDIRealm.getUserByPattern(
        at org.apache.catalina.realm.JNDIRealm.getUser(
        at org.apache.catalina.realm.JNDIRealm.authenticate(
        at org.apache.catalina.realm.JNDIRealm.authenticate(
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
        at org.apache.catalina.core.StandardHostValve.invoke(
        at org.apache.catalina.valves.ErrorReportValve.invoke(
        at org.apache.catalina.core.StandardEngineValve.invoke(
        at org.apache.catalina.connector.CoyoteAdapter.service(
        at org.apache.coyote.http11.Http11Processor.process(
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.invoke(
        ... 17 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining
name 'uid=i.galic'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(
        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(
        ... 22 more

The corresponding tshark trace looks like this:
 63.591308 -> TCP 42460 > ldap [PSH, ACK] Seq=727 Ack=1914
Win=11648 Len=74 TSV=1189193646 TSER=97730562
 63.591308 -> TCP ldap > 42460 [PSH, ACK] Seq=1914 Ack=801
Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352 TSER=1189193646
 63.591308 -> TCP 42460 > ldap [ACK] Seq=801 Ack=1949
Win=11648 Len=0 TSV=1189193646 TSER=97746352
 63.591308 -> TCP 42460 > ldap [PSH, ACK] Seq=801 Ack=1949
Win=11648 Len=105 TSV=1189193646 TSER=97746352
 63.591308 -> TCP ldap > 42460 [PSH, ACK] Seq=1949 Ack=906
Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352 TSER=1189193646
 63.635308 -> TCP 42460 > ldap [ACK] Seq=906 Ack=1984
Win=11648 Len=0 TSV=1189193657 TSER=97746352

> > I haven't managed to get the to compile.
> Why? 

Because I fail at Java.

Anyway, sorry for the late reply but hell was breaking out at work. YAY Operations \o/
I hope you didn't have your hopes up too high for this to work (as I did ;)

> Bye
>  Felix


Igor Galić

Tel: +43 (0) 664 886 22 883

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message