Hi guys,
I have just spent two days getting Tomcat JNDIRealm authentication working against
our Novell DNS LDAP directory server over SSL. So while it is all fresh in my head,
here is how to enable SSL support in the OXF LDAP processor too. ;-)
The reason we need to do this is that Novell LDAP says this by default with the OXF
LDAP processor out of the box:
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - This LDAP
server does not accept cleartext passwords]
A) Tomcat 4.1.24
1. Our LDAP server uses a self-signed cert. So... Import the rootcert for the CA into
the Java trusted store.. (Default password is 'changeit' )
%JAVA_HOME%\bin\keytool -import -alias rootcertalias -v -noprompt -keystore
%JAVA_HOME%\jre\lib\security\cacerts -file ./RootCert.der
2. Add the appropriate <security-constraint> elements to the web.xml. This is the
same as non-SSL LDAP.
3. Add a valve to your Tomcat application context. Ours looks like.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://192.168.1.1:636";
userPattern="cn={0},ou=Users,ou=OU,o=ORG"
protocol="ssl"
/>
If correctly set up you will see this in the access log.
2003-10-22 18:03:09 JNDIRealm[/dev/oxfsandbox]: Connecting to URL
ldap://192.168.1.1:636
Note the use of protocol="ssl". This is used in the open method in the JNDIRealm.java
class in Tomcat.
protected DirContext open() throws NamingException {
// Do nothing if there is a directory server connection already open
if (context != null)
return (context);
// Establish a connection and retrieve the initial context
if (debug >= 1)
log("Connecting to URL " + connectionURL);
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
if (connectionName != null)
env.put(Context.SECURITY_PRINCIPAL, connectionName);
if (connectionPassword != null)
env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
if (connectionURL != null)
env.put(Context.PROVIDER_URL, connectionURL);
if (authentication != null)
env.put(Context.SECURITY_AUTHENTICATION, authentication);
if (protocol != null)
env.put(Context.SECURITY_PROTOCOL, protocol);
if (referrals != null)
env.put(Context.REFERRAL, referrals);
This is relying on the Sun javax.net.ssl libraries from the JSSE.
http://java.sun.com/products/jsse/
The relevent bit is Context.SECURITY_PROTOCOL which needs to be set to "ssl".
B) OXF LDAP processor..
So now to OXF..
<p:processor uri="oxf/processor/ldap" xmlns:p="http://www.orbeon.com/oxf/pipeline";>
<p:input name="config">
<config>
<host>192.168.1.1</host>
<port>636</port>
<bind-dn>cn=drand,ou=Users,ou=OU,o=ORG</bind-dn>
<password>password</password>
<root-dn>ou=OU,o=ORG</root-dn>
<attribute>cn</attribute>
<attribute>objectclass</attribute>
</config>
</p:input>
<p:input name="filter">
<filter>(objectclass=*)</filter>
</p:input>
<p:output name="data" id="ldap-results"/>
</p:processor>
The following doesn't work over SSL because the Context.SECURITY_PROTOCOL isn't being
set..
Config probably needs something equivalent to the JNDIRealm protocol attrib.. eg.
<p:input name="config">
<config>
<host>192.168.1.1</host>
<port>636</port>
<protocol>SSL</protocol>
<bind-dn>cn=drand,ou=Users,ou=OU,o=ORG</bind-dn>
<password>password</password>
<root-dn>ou=OU,o=ORG</root-dn>
<attribute>cn</attribute>
<attribute>objectclass</attribute>
</config>
</p:input>
Hope this helps.
Damon.
_______________________________________________
oxf-users mailing list
[EMAIL PROTECTED]
http://mail.orbeon.com/mailman/listinfo/oxf-users
