On 2025/03/18 16:22:42 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > Hello Tomcat-Team, > we are currently using a JNDIRealm to authenticate against an ActiveDirectory > via LDAPs. > For security reasons, the LDAP-Server should be configured to enforce channel > binding token (CBT). > > If CBT is set to enforced however, the JNDIRealm fails with this exception: > > org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing > authentication > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: > LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data 80090346, > v4563 ]; remaining name 'ou=xxx,dc=com' > at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260) > ... > > Java should support CBT since version 16 according to these pages: > https://bugs.openjdk.org/browse/JDK-8258824 > https://bugs.openjdk.org/browse/JDK-8247311 > > It mentions, that a JNDI environment property "com.sun.jndi.ldap.tls.cbtype" > should be set, to make JNDI work with CBT. > > Looking at the class JNDIRealm.java --> getDirectoryContextEnvironment() I > can't find any property with this name or any way to inject additional > properties. > > The realm configuration in Tomcat is quite common, nothing special: > <Realm className="org.apache.catalina.realm.JNDIRealm" > adCompat="true" > allRolesMode ="authOnly" > connectionTimeout="3000" > connectionURL="ldaps://server1:636" > ... > useDelegatedCredential="true" > spnegoDelegationQop="auth" > /> > > Does anybody have succeeded in JNDIReal with CBT? > Could the connection issue be solved with standard methods?
There is none and the JNDIRealm does not provide a way to pass arbitrary properties to the DirContext. you best shot is to extend the class, override getDirectoryContextEnvironment() and pass the desired property. It was actually backported to older versions: https://bugs.openjdk.org/browse/JDK-8245527 My recommendation is to test it in an isolated environment first: * Plain DirContext * ldapsearch(1) + Cyrus SASL In our huge interprise this isn't enforced, I guess that qop-auth is still good enough with aes256-cts-hmac-sha1-96 (SSF 256). Even back then when I co-reviewed the PR I did not fully understand what the huge benefit of TLS-CB is if you have AES-256 and auth-conf with Kerberos, but I am not a security expert. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
