Hello Tomcat-Team, we are currently using a JNDIRealm to authenticate against an ActiveDirectory via LDAPs. For security reasons, the LDAP-Server should be configured to enforce channel binding token (CBT).
If CBT is set to enforced however, the JNDIRealm fails with this exception: org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data 80090346, v4563 ]; remaining name 'ou=xxx,dc=com' at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260) ... Java should support CBT since version 16 according to these pages: https://bugs.openjdk.org/browse/JDK-8258824 https://bugs.openjdk.org/browse/JDK-8247311 It mentions, that a JNDI environment property "com.sun.jndi.ldap.tls.cbtype" should be set, to make JNDI work with CBT. Looking at the class JNDIRealm.java --> getDirectoryContextEnvironment() I can't find any property with this name or any way to inject additional properties. The realm configuration in Tomcat is quite common, nothing special: <Realm className="org.apache.catalina.realm.JNDIRealm" adCompat="true" allRolesMode ="authOnly" connectionTimeout="3000" connectionURL="ldaps://server1:636" ... useDelegatedCredential="true" spnegoDelegationQop="auth" /> Does anybody have succeeded in JNDIReal with CBT? Could the connection issue be solved with standard methods? If further information is needed, I can provide further details. Thank you very much in advance! Thomas
