> If you are feeling lucky and are willing to compile tomcat yourself, > you > can try the attached diff. I haven't tested it, since I don't have an > ldap server around at the moment. > > You have to extend the realm configuration with > <Realm ... > startTLS="true" > ... />
Hi Felix, thanks for quick work! I've checked out the 6.0 branch, applied the patch, compiled it and run it with + <Realm className="org.apache.catalina.realm.JNDIRealm" + connectionURL="ldap://mail.brainsware.org:389/"; + alternateURL="ldap://mail.esotericsystems.at:389"; + commonRole="admin" connectionName="uid=whatever" connectionPassword="securityisgreat." + userBase="ou=people,dc=brainsware,dc=org" userPattern="(uid={0})(postOfficeBox=internal_projects)" + startTLS="true" + userSearch="(uid={0})" /> (I have my config files in subversion, this is svn diff) But the logoutput: INFO: Starting Servlet Engine: Apache Tomcat/6.0.0-dev Aug 15, 2010 7:06:02 PM org.apache.catalina.realm.JNDIRealm open WARNING: Exception performing authentication javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - confidentiality required] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) at javax.naming.InitialContext.init(InitialContext.java:223) at javax.naming.InitialContext.<init>(InitialContext.java:197) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82) at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1981) at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2086) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:581) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) And the wireshark scan: r...@iris ~ # tshark host 188.40.115.116 Running as user "root" and group "root". This could be dangerous. Capturing on eth0 0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1143986316 TSER=0 WS=7 0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=52538737 TSER=1143986316 WS=7 0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=1143986316 TSER=52538737 0.000000 188.40.115.116 -> 188.40.115.121 LDAP bindRequest(1) "uid=whatever" simple 0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [ACK] Seq=1 Ack=54 Win=5888 Len=0 TSV=52538737 TSER=1143986316 0.004000 188.40.115.121 -> 188.40.115.116 LDAP bindResponse(1) confidentialityRequired (confidentiality required) 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=54 Ack=39 Win=5888 Len=0 TSV=1143986316 TSER=52538738 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [FIN, ACK] Seq=54 Ack=39 Win=5888 Len=0 TSV=1143986317 TSER=52538738 0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [FIN, ACK] Seq=39 Ack=55 Win=5888 Len=0 TSV=52538738 TSER=1143986317 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=55 Ack=40 Win=5888 Len=0 TSV=1143986317 TSER=52538738 Suggest no change at this point. (Btw, it doesn't matter which JDK I use) > HTH > Felix Bye, i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
