Well you have prompted me to respond once more! Tomcat should not have to do anything to establish a encrypted SSL connection to your LDAP server except pass on the correct parameters to the chosen LDAP driver, and instantiate it. It is the LDAP drivers job to handle all the nasty details of doing the SSL connection, and talking LDAP. That said, some LDAP driver factories do offer extra parameters for configuring SSL parameters beyond the SECURITY_PROTOCOL parameter. (Of course, Tomcat will be issuing the appropriate LDAP queries to do the Realm authentication, etc).
I took a quick look at the Tomcat JDNI Realm configuration document, and it does specify that you can put in your own "contextFactory" so if you have another LDAP driver, other than Suns reference driver then you could use try that out to see if it fixes your problem. I don't know if OpenLDAP provides their own Java LDAP Driver but its worth a look! Have a hunt around and see what you can find. Technically speaking any driver that implements the LDAP RFCs should be able to talk to any LDAP server that implements the RFCs, but cruel reality often imposes itself :) But yes, someone should get around to putting in a bug report about that "ldaps" matter :) If it has not already been done that is. Regards, Shane. -----Original Message----- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Monday, 10 May 2004 11:53 AM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok. Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried "ldaps://", but Tomcat will throw a parse error and will not accept the JNDI Realm parameters. They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue. Regards, pascal chong Shane Linley wrote: >Hi, > >What happens on failed connections IS driver specific, but it should NOT BY >DEFAULT switch to using a non SSL connection, for the sake of security if >nothing else. The connection should tried to be established, if it fails >then it should send back the appropriate naming exception. That said drivers >do accept configuration properties to modify their behaviour, so technically >anything is possible, based on your drivers documentation. > >I have never used OpenLDAP so its error logs don't really mean all that much >to me, but having done similar things in the past you should look up your >error codes in the OpenLDAP documentation (but its probably the OpenSSL >doco) as to what the error codes really mean to work out what the problem >is. I'm referring specifically to this line (as id does match up to the >"Request: 1 cancelled") message that the LDAP client driver reports. > > May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept >error error=-1 id=0, closing > >Thats all I have! Good luck. > >Regards, >Shane. > >P.S. The anal retentive part of me still wants you to specify the ldap >connection as ldaps://server:636 but that is completely besides the point! >:) > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
