On 15/08/2010 21:58, Felix Schumacher wrote: > Ok, my patch will not work, since new InitialDirContext(env) will not > create a LdapContext, but a DirContext. You could try to change new > InitialDirContext(env) into InitalLdapContext(env, null) as used in the > sun startssl example. > > I will test it tomorrow. > > But it may be easier to allow ssl with your ldap config :)
Or maybe an SSH tunnel? p > Bye > Felix > > Am Sonntag, den 15.08.2010, 19:10 +0000 schrieb Igor Galić: >>> If you are feeling lucky and are willing to compile tomcat yourself, >>> you >>> can try the attached diff. I haven't tested it, since I don't have an >>> ldap server around at the moment. >>> >>> You have to extend the realm configuration with >>> <Realm ... >>> startTLS="true" >>> ... /> >> >> Hi Felix, >> >> thanks for quick work! >> >> I've checked out the 6.0 branch, applied the patch, compiled it and run it >> with >> + <Realm className="org.apache.catalina.realm.JNDIRealm" >> + connectionURL="ldap://mail.brainsware.org:389/"; >> + alternateURL="ldap://mail.esotericsystems.at:389"; >> + commonRole="admin" connectionName="uid=whatever" >> connectionPassword="securityisgreat." >> + userBase="ou=people,dc=brainsware,dc=org" >> userPattern="(uid={0})(postOfficeBox=internal_projects)" >> + startTLS="true" >> + userSearch="(uid={0})" /> >> >> (I have my config files in subversion, this is svn diff) >> >> But the logoutput: >> INFO: Starting Servlet Engine: Apache Tomcat/6.0.0-dev >> Aug 15, 2010 7:06:02 PM org.apache.catalina.realm.JNDIRealm open >> WARNING: Exception performing authentication >> javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - >> confidentiality required] >> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) >> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) >> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) >> at >> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) >> at >> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) >> at javax.naming.InitialContext.init(InitialContext.java:223) >> at javax.naming.InitialContext.<init>(InitialContext.java:197) >> at >> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82) >> at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1981) >> at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2086) >> at >> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) >> at >> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) >> at >> org.apache.catalina.core.StandardService.start(StandardService.java:519) >> at >> org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >> at org.apache.catalina.startup.Catalina.start(Catalina.java:581) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:597) >> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >> >> >> And the wireshark scan: >> >> r...@iris ~ # tshark host 188.40.115.116 >> Running as user "root" and group "root". This could be dangerous. >> Capturing on eth0 >> 0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [SYN] Seq=0 >> Win=5840 Len=0 MSS=1460 TSV=1143986316 TSER=0 WS=7 >> 0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [SYN, ACK] >> Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=52538737 TSER=1143986316 WS=7 >> 0.000000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=1 >> Ack=1 Win=5888 Len=0 TSV=1143986316 TSER=52538737 >> 0.000000 188.40.115.116 -> 188.40.115.121 LDAP bindRequest(1) >> "uid=whatever" simple >> 0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [ACK] Seq=1 >> Ack=54 Win=5888 Len=0 TSV=52538737 TSER=1143986316 >> 0.004000 188.40.115.121 -> 188.40.115.116 LDAP bindResponse(1) >> confidentialityRequired (confidentiality required) >> 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=54 >> Ack=39 Win=5888 Len=0 TSV=1143986316 TSER=52538738 >> 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [FIN, ACK] >> Seq=54 Ack=39 Win=5888 Len=0 TSV=1143986317 TSER=52538738 >> 0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 40203 [FIN, ACK] >> Seq=39 Ack=55 Win=5888 Len=0 TSV=52538738 TSER=1143986317 >> 0.004000 188.40.115.116 -> 188.40.115.121 TCP 40203 > ldap [ACK] Seq=55 >> Ack=40 Win=5888 Len=0 TSV=1143986317 TSER=52538738 >> >> Suggest no change at this point. >> >> (Btw, it doesn't matter which JDK I use) >> >>> HTH >>> Felix >> >> Bye, >> i > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
signature.asc
Description: OpenPGP digital signature
