Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok.
Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried "ldaps://", but Tomcat will throw a parse error and will not accept the JNDI Realm parameters.
They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue.
Regards, pascal chong
Shane Linley wrote:
Hi,
What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation.
I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the "Request: 1 cancelled") message that the LDAP client driver reports.
May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing
Thats all I have! Good luck.
Regards, Shane.
P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
