tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: JNDI: LDAPv3 with StartTLS
Date Tue, 17 Aug 2010 21:30:56 GMT


> That looks right. I believe I have found one issue with my code. It
> will
> get a InitialDirContext with your admin user and password, before it
> is
> negotiating TLS. I have attached another ContextFactory, which will
> remove admin user, password and authentication method prior to TLS
> negotiation. After (hopefully) establishing TLS it adds those
> parameters
> back in. As with the last factory, you should select a package name
> of
> your liking. 

Done, now the startup looks all fine in the log -- but tshark speaks a
different language:

root@iris ~ # tshark  host 188.40.115.116 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [SYN] Seq=0 Win=5840 Len=0
MSS=1460 TSV=1189177744 TSER=0 WS=7
  0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [SYN, ACK] Seq=0 Ack=1
Win=5792 Len=0 MSS=1460 TSV=97730450 TSER=1189177744 WS=7
  0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=1 Ack=1 Win=5888
Len=0 TSV=1189177744 TSER=97730450
  0.004000 188.40.115.116 -> 188.40.115.121 LDAP extendedReq(1) LDAP_START_TLS_OID 
  0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1 Ack=61 Win=5888
Len=0 TSV=97730451 TSER=1189177745
  0.008000 188.40.115.121 -> 188.40.115.116 LDAP extendedResp(1) [LDAP_START_TLS_OID responseName
missing] 
  0.008000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=61 Ack=15 Win=5888
Len=0 TSV=1189177746 TSER=97730452
  0.384000 188.40.115.116 -> 188.40.115.121 SSLv2 Client Hello
  0.384000 188.40.115.121 -> 188.40.115.116 TLSv1 Server Hello, [Unreassembled Packet [incorrect
TCP checksum]] 
  0.384000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] Seq=1463 Ack=161
Win=5888 [TCP CHECKSUM INCORRECT] Len=408 TSV=97730546 TSER=1189177839
  0.384000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=161 Ack=1463
Win=8832 Len=0 TSV=1189177839 TSER=97730546
  0.384000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=161 Ack=1871
Win=11648 Len=0 TSV=1189177839 TSER=97730546
  0.408000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=161 Ack=1871
Win=11648 Len=523 TSV=1189177846 TSER=97730546
  0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1871 Ack=684
Win=6912 Len=0 TSV=97730562 TSER=1189177846
  0.448000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=684 Ack=1871
Win=11648 Len=43 TSV=1189177856 TSER=97730562
  0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1871 Ack=727
Win=6912 Len=0 TSV=97730562 TSER=1189177856
  0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] Seq=1871 Ack=727
Win=6912 [TCP CHECKSUM INCORRECT] Len=43 TSV=97730562 TSER=1189177856
  0.488000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=727 Ack=1914
Win=11648 Len=0 TSV=1189177866 TSER=97730562

This means: We are (disturbingly) sending an SSLv2 Hello, we get an TLSv1 reply, and now
we're happy... Or so I blindly guess from the fact that no error or warning are logged..
I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK, PS/ACK.

Anyway, then I try to login, and that's when this happens in the log:

SEVERE: An exception or error occurred in the container during the request processing
java.lang.reflect.UndeclaredThrowableException
        at $Proxy0.getAttributes(Unknown Source)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
        at org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1217)
        at org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269)
        at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1186)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1058)
        at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:947)
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.invoke(LdapTlsContextFactory.java:73)
        ... 17 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining
name 'uid=i.galic'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
        ... 22 more

The corresponding tshark trace looks like this:
     
 63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=727 Ack=1914
Win=11648 Len=74 TSV=1189193646 TSER=97730562
 63.591308 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] Seq=1914 Ack=801
Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352 TSER=1189193646
 63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=801 Ack=1949
Win=11648 Len=0 TSV=1189193646 TSER=97746352
 63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=801 Ack=1949
Win=11648 Len=105 TSV=1189193646 TSER=97746352
 63.591308 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK] Seq=1949 Ack=906
Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352 TSER=1189193646
 63.635308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=906 Ack=1984
Win=11648 Len=0 TSV=1189193657 TSER=97746352




> > I haven't managed to get the TlsTest.java to compile.
> Why? 

Because I fail at Java.

Anyway, sorry for the late reply but hell was breaking out at work. YAY Operations \o/
I hope you didn't have your hopes up too high for this to work (as I did ;)

> Bye
>  Felix

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message