Issue #717 has been updated by Francesco Malvezzi.
I confirm it now works. Actually I was using a asyncLdapSourceService. With a plain ldapSourceService it works. Tried 2.1 branch. thank you so much, Francesco ---------------------------------------- Bug #717: StartTLS ignored http://tools.lsc-project.org/issues/717 Author: Francesco Malvezzi Status: Feedback Priority: Normal Assigned to: Clément OUDOT Category: Core Target version: 2.1.2 Problem in version: 2.1.1 switch tlsActivated is ignored. In order to enable, add following lines at: org.lsc.jndi.JndiServices line 410: if(connection.isTlsActivated() != null) { LOGGER.info("is TlsActivated? " + connection.isTlsActivated()); props.setProperty("java.naming.tls", Boolean.toString(connection.isTlsActivated())); } but after then, i see: <pre> ago 08 16:08:17 - INFO - Connecting to LDAP server ldap://ldap2.example.org:389/dc=example,dc=org as cn=provisionator,ou=agents,dc=example,dc=org with STARTTLS extended operation ago 08 16:08:17 - DEBUG - found X509TrustManager sun.security.ssl.X509TrustManagerImpl@3be61638 ago 08 16:08:17 - DEBUG - found X509TrustManager sun.security.ssl.X509TrustManagerImpl@3be61638 ago 08 16:08:18 - DEBUG - Sending request MessageType : BIND_REQUEST Message ID : 1 BindRequest Version : '3' Name : 'cn=provisionator,ou=agents,dc=example,dc=org' Simple authentication : 'secret/0x47 0x55 0x65 0x45 0x6D 0x4E 0x32 0x72 ' ago 08 16:08:18 - DEBUG - Adding <1, org.apache.directory.ldap.client.api.future.BindFuture> ago 08 16:08:18 - DEBUG - Adding <1, org.apache.directory.ldap.client.api.future.BindFuture> ago 08 16:08:18 - DEBUG - -------> MessageType : BIND_RESPONSE Message ID : 1 BindResponse Ldap Result Result code : (INVALID_CREDENTIALS) invalidCredentials Matched Dn : '' Diagnostic message : '' Message received <------- </pre> note the expected: "with STARTTLS extended operation" Unfortunately something is still wrong: <pre> Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 fd=42 ACCEPT from IP=my_ip:42469 (IP=0.0.0.0:389) Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 STARTTLS Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 op=0 RESULT oid= err=0 text= Aug 8 16:08:17 b1 slapd[2666]: conn=4282641 fd=42 TLS established tls_ssf=256 ssf=256 Aug 8 16:08:18 b1 slapd[2666]: conn=4282641 fd=42 closed (connection lost) francesco@b1:~$ sudo grep 'conn=4282642' /var/log/ldap.log Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 fd=44 ACCEPT from IP=my_ip:42470 (IP=0.0.0.0:389) Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 op=0 BIND dn="cn=provisionator,ou=agents,dc=example,dc=org" method=128 Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 op=0 RESULT tag=97 err=49 text= Aug 8 16:08:18 b1 slapd[2666]: conn=4282642 fd=44 closed (connection lost) </pre> as you can read from slapd log, lsc creates a start_tls session, drops it then starts a cleartext (no ssl, no tls) connection which fails due to the access control list of the OpenLDAP. Hope it helps, Francesco -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-dev mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-dev
