Hello Joey, > -----Ursprüngliche Nachricht----- > Von: Joey Cochran <joey.coch...@mtsu.edu> > Gesendet: Mittwoch, 19. März 2025 18:27 > An: users@tomcat.apache.org > Betreff: RE: JNDIRealm with required ChannelBindingToken fails > > On 2025/03/19 08:02:43 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > > Hello Michael, > > > > > -----Ursprüngliche Nachricht----- > > > Von: Michael Osipov <micha...@apache.org> > > > Gesendet: Dienstag, 18. März 2025 22:50 > > > An: users@tomcat.apache.org > > > Betreff: Re: JNDIRealm with required ChannelBindingToken fails > > > > > > On 2025/03/18 16:22:42 "Thomas Hoffmann (Speed4Trade GmbH)" > wrote: > > > > Hello Tomcat-Team, > > > > we are currently using a JNDIRealm to authenticate against an > > > ActiveDirectory via LDAPs. > > > > For security reasons, the LDAP-Server should be configured to > > > > enforce > > > channel binding token (CBT). > > > > > > > > If CBT is set to enforced however, the JNDIRealm fails with this > exception: > > > > > > > > org.apache.catalina.realm.JNDIRealm.getPrincipal Exception > > > > performing > > > authentication > > > > javax.naming.AuthenticationException: [LDAP: error code 49 - > 80090346: > > > LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, > data > > > 80090346, v4563 ]; remaining name 'ou=xxx,dc=com' > > > > at > > > > java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260 > > > ) > > > > ... > > > > > > > > Java should support CBT since version 16 according to these pages: > > > https://bugs.openjdk.org/browse/JDK-8258824 > > > https://bugs.openjdk.org/browse/JDK-8247311 > > > > > > > > It mentions, that a JNDI environment property > > > "com.sun.jndi.ldap.tls.cbtype" should be set, to make JNDI work with > CBT. > > > > > > > > Looking at the class JNDIRealm.java --> > > > getDirectoryContextEnvironment() I can't find any property with this > > > name or any way to inject additional properties. > > > > > > > > The realm configuration in Tomcat is quite common, nothing special: > > > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > > > adCompat="true" > > > > allRolesMode ="authOnly" > > > > connectionTimeout="3000" > > > > connectionURL="ldaps://server1:636" > > > > ... > > > > useDelegatedCredential="true" > > > > spnegoDelegationQop="auth" > > > > /> > > > > > > > > Does anybody have succeeded in JNDIReal with CBT? > > > > Could the connection issue be solved with standard methods? > > > > > > There is none and the JNDIRealm does not provide a way to pass > > > arbitrary properties to the DirContext. you best shot is to extend > > > the class, override > > > getDirectoryContextEnvironment() and pass the desired property. > > > > > > It was actually backported to older versions: > > > https://bugs.openjdk.org/browse/JDK-8245527 > > > > > > My recommendation is to test it in an isolated environment first: > > > * Plain DirContext > > > * ldapsearch(1) + Cyrus SASL > > > > > > In our huge interprise this isn't enforced, I guess that qop-auth is > > > still good enough with aes256-cts-hmac-sha1-96 (SSF 256). Even back > > > then when I co-reviewed the PR I did not fully understand what the > > > huge benefit of TLS- CB is if you have AES-256 and auth-conf with > > > Kerberos, but I am not a security expert. > > > > > > Michael > > > > > > > Thank you for your quick reply and confirmation of the current situation. > > I can test if overriding the getDirectoryContextEnvironment() works. > > Pleaso do. > > > As far as I understood the CBT is created by some connection parameters > and prevents MITM attacks via an SSL-Proxy (like Strict-Transport-Security > for HTTP does on a higher level). > > Why not just use qop="auth-conf" and avoid TLS altogether? Kerberos will > give you all the security you need. I see usecases for the paranoid, but a > regular r/o call. > > > Would it be worth to create a feature request for Tomcat? > > Companies get more sensitive about security features nowadays and the > complexity of the feature doesn’t look very high. > > I'd prefer a generic solution for arbitrary properties like: > > additionalProperties="name=value;name2=value2;…" > > Michael > > I am just curious... is this a JAVA_OPT at runtime? > -Dcom.sun.jndi.ldap.tls.cbtype=enforce > > what are the enumerated values? > -Joey
It is hard to find examples on this topic. One of the pages I found is https://download.java.net/java/early_access/loom/docs/api/java.naming/module-summary.html The possible values determine how the token is generated: 1) tls-server-end-point 2) tls-unique Whereas 2) is not implemented. According to this page, the property is not a system property but an JNDI environment property. Thus I assume, that it must look like this (non-working?) example: https://stackoverflow.com/questions/64392108/connecting-to-ldaps-with-gss-and-channel-binding Hashtable props = new Hashtable(); props.put("com.sun.jndi.ldap.tls.cbtype", "tls-server-end-point"); new InitialLdapContext(props, null); Haven't tried it though Greetings, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
