[ http://issues.apache.org/jira/browse/DERBY-1000?page=comments#action_12418713 ]
Anders Morken commented on DERBY-1000: -------------------------------------- Now that DERBY-1174 is resolved the patches attached to this issue is technically all you need to let Derby use SSL-enabled LDAP connections to a LDAP directory. While I've tested this manually I haven't written a regression test for it. You need a lot of manual preparation to test this - most notably an SSL-enabled LDAP server to query and bind against, and you need the LDAP server's SSL certificate (or the CA certificate that signed the LDAP server's cert) in your java installation's trusted certificate store. See http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html for more details. The fact that you need to import the ldap server's cert should probably be mentioned in the docs as well. Is the above URL "stable" enough for us to refer to in Derby documentation? > For LDAP authentication: derby.authentication.server should support ldaps:// > as part of the server url. > ------------------------------------------------------------------------------------------------------- > > Key: DERBY-1000 > URL: http://issues.apache.org/jira/browse/DERBY-1000 > Project: Derby > Type: Bug > Components: Newcomer, Security > Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, > 10.1.2.1, 10.1.2.2, 10.2.0.0 > Environment: all > Reporter: Sunitha Kambhampati > Assignee: Anders Morken > Priority: Trivial > Attachments: DERBY-1000.patch, DERBY1000-docs.patch > > derby.authentication.server does not recognize secure ldap url - ie if the > url starts with ldaps:// > Trying to connect using LDAP authentication with the following properties set > derby.authentication.provider=LDAP > derby.authentication.server=ldaps://xyz.abc.com:636 > derby.authentication.ldap.searchBase='ou=xyz,o=abc.com' > derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)' > derby.connection.requireAuthentication=true > throws InvalidNameException > ij> connect 'jdbc:derby:testdb;user=a;password=p'; > ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid > name: /xyz.abc.com:636 > Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties. > Problem is the code expects that if Context.PROVIDER_URL is not and if > derby.authentication.server is set, then the ldapServer is either of the > format //server:port or it already starts with ldap:// else it just adds > ldap:// . > Thus for a ldaps://xyz.com:636 url , it will become > ldap://ldaps://xyz.com:636 > > in the code snippet, dflLDAPURL is ldap:// > if (ldapServer.startsWith(dfltLDAPURL)) > this.providerURL = ldapServer; > else if (ldapServer.startsWith("//")) > this.providerURL = "ldap:" + ldapServer; > else > this.providerURL = dfltLDAPURL + > ldapServer; > } > initDirContextEnv.put(Context.PROVIDER_URL, > providerURL); > We should support specifiying secure ldap , ie ldaps:// in the > derby.authentication.server. Add condition to support the ldaps:// > ie. > if (ldapServer.startsWith(dfltLDAPURL) || > ldapServer.startsWith("ldaps://")) > this.providerURL = ldapServer; > ======== > A workaround to the problem is to set the Context.PROVIDER_URL instead. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
