Issue #717 has been updated by Raphaël Ouazana. Status changed from Assigned to Feedback Assigned to changed from Raphaël Ouazana to Clément OUDOT % Done changed from 0 to 70
This should be fixed in branch 2.1 and in trunk. Please test. Francesco, your patch was correct but it seems you were using an asyncLdapSourceService. So the first sync used TLS, but the async one didn't use TLS. ---------------------------------------- Bug #717: StartTLS ignored http://tools.lsc-project.org/issues/717 Author: Francesco Malvezzi Status: Feedback Priority: Normal Assigned to: Clément OUDOT Category: Core Target version: 2.1.2 Problem in version: 2.1.1 switch tlsActivated is ignored. In order to enable, add following lines at: org.lsc.jndi.JndiServices line 410: if(connection.isTlsActivated() != null) { LOGGER.info("is TlsActivated? " + connection.isTlsActivated()); props.setProperty("java.naming.tls", Boolean.toString(connection.isTlsActivated())); } but after then, i see: <pre> ago 08 16:08:17 - INFO - Connecting to LDAP server ldap://ldap2.example.org:389/dc=example,dc=org as cn=provisionator,ou=agents,dc=example,dc=org with STARTTLS extended operation ago 08 16:08:17 - DEBUG - found X509TrustManager sun.security.ssl.X509TrustManagerImpl@3be61638 ago 08 16:08:17 - DEBUG - found X509TrustManager sun.security.ssl.X509TrustManagerImpl@3be61638 ago 08 16:08:18 - DEBUG - Sending request MessageType : BIND_REQUEST Message ID : 1 BindRequest Version : '3' Name : 'cn=provisionator,ou=agents,dc=example,dc=org' Simple authentication : 'secret/0x47 0x55 0x65 0x45 0x6D 0x4E 0x32 0x72 ' ago 08 16:08:18 - DEBUG - Adding <1, org.apache.directory.ldap.client.api.future.BindFuture> ago 08 16:08:18 - DEBUG - Adding <1, org.apache.directory.ldap.client.api.future.BindFuture> ago 08 16:08:18 - DEBUG - -------> MessageType : BIND_RESPONSE Message ID : 1 BindResponse Ldap Result Result code : (INVALID_CREDENTIALS) invalidCredentials Matched Dn : '' Diagnostic message : '' Message received <------- </pre> note the expected: "with STARTTLS extended operation" Unfortunately something is still wrong: <pre> Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 fd=42 ACCEPT from IP=my_ip:42469 (IP=0.0.0.0:389) Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 STARTTLS Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 RESULT oid= err=0 text= Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 fd=42 TLS established tls_ssf=256 ssf=256 Aug 8 16:08:18 b1 slapd[2666]: conn=4282641 fd=42 closed (connection lost) francesco@b1:~$ sudo grep 'conn=4282642' /var/log/ldap.log Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 fd=44 ACCEPT from IP=my_ip:42470 (IP=0.0.0.0:389) Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 op=0 BIND dn="cn=provisionator,ou=agents,dc=example,dc=org" method=128 Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 op=0 RESULT tag=97 err=49 text= Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 fd=44 closed (connection lost) </pre> as you can read from slapd log, lsc creates a start_tls session, drops it then starts a cleartext (no ssl, no tls) connection which fails due to the access control list of the OpenLDAP. Hope it helps, Francesco -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-dev mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-dev
