Thank you for the suggestion. I've implemented the SSL support in the LDAP Processor. Let me you if you would like a patch, and I'll send you the new JAR file by email.
Julien
Damon Rand wrote:
Hi guys,
I have just spent two days getting Tomcat JNDIRealm authentication working against our Novell DNS LDAP directory server over SSL. So while it is all fresh in my head, here is how to enable SSL support in the OXF LDAP processor too. ;-)
The reason we need to do this is that Novell LDAP says this by default with the OXF LDAP processor out of the box:
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - This LDAP server does not accept cleartext passwords]
A) Tomcat 4.1.24
1. Our LDAP server uses a self-signed cert. So... Import the rootcert for the CA into the Java trusted store.. (Default password is 'changeit' ) %JAVA_HOME%\bin\keytool -import -alias rootcertalias -v -noprompt -keystore %JAVA_HOME%\jre\lib\security\cacerts -file ./RootCert.der
2. Add the appropriate <security-constraint> elements to the web.xml. This is the same as non-SSL LDAP.
3. Add a valve to your Tomcat application context. Ours looks like.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://192.168.1.1:636"; userPattern="cn={0},ou=Users,ou=OU,o=ORG" protocol="ssl" />
If correctly set up you will see this in the access log.
2003-10-22 18:03:09 JNDIRealm[/dev/oxfsandbox]: Connecting to URL ldap://192.168.1.1:636
Note the use of protocol="ssl". This is used in the open method in the JNDIRealm.java class in Tomcat.
protected DirContext open() throws NamingException {
// Do nothing if there is a directory server connection already open if (context != null) return (context);
// Establish a connection and retrieve the initial context
if (debug >= 1)
log("Connecting to URL " + connectionURL);
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
if (connectionName != null)
env.put(Context.SECURITY_PRINCIPAL, connectionName);
if (connectionPassword != null)
env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
if (connectionURL != null)
env.put(Context.PROVIDER_URL, connectionURL);
if (authentication != null)
env.put(Context.SECURITY_AUTHENTICATION, authentication);
if (protocol != null)
env.put(Context.SECURITY_PROTOCOL, protocol); if (referrals != null)
env.put(Context.REFERRAL, referrals);
This is relying on the Sun javax.net.ssl libraries from the JSSE.
http://java.sun.com/products/jsse/
The relevent bit is Context.SECURITY_PROTOCOL which needs to be set to "ssl".
B) OXF LDAP processor..
So now to OXF..
<p:processor uri="oxf/processor/ldap" xmlns:p="http://www.orbeon.com/oxf/pipeline";>
<p:input name="config">
<config>
<host>192.168.1.1</host>
<port>636</port>
<bind-dn>cn=drand,ou=Users,ou=OU,o=ORG</bind-dn>
<password>password</password>
<root-dn>ou=OU,o=ORG</root-dn>
<attribute>cn</attribute>
<attribute>objectclass</attribute>
</config>
</p:input>
<p:input name="filter">
<filter>(objectclass=*)</filter>
</p:input>
<p:output name="data" id="ldap-results"/>
</p:processor>
The following doesn't work over SSL because the Context.SECURITY_PROTOCOL isn't being set..
Config probably needs something equivalent to the JNDIRealm protocol attrib.. eg.
<p:input name="config">
<config>
<host>192.168.1.1</host>
<port>636</port>
<protocol>SSL</protocol>
<bind-dn>cn=drand,ou=Users,ou=OU,o=ORG</bind-dn>
<password>password</password>
<root-dn>ou=OU,o=ORG</root-dn>
<attribute>cn</attribute>
<attribute>objectclass</attribute>
</config>
</p:input>
Hope this helps.
Damon. _______________________________________________ oxf-users mailing list [EMAIL PROTECTED] http://mail.orbeon.com/mailman/listinfo/oxf-users
_______________________________________________ oxf-users mailing list [EMAIL PROTECTED] http://mail.orbeon.com/mailman/listinfo/oxf-users
