Ok what if a forget startTLS thing and start with LDAPS, is it supported in Shiro LDAP Realm?
On Mon, Jul 27, 2015 at 8:46 PM, Kevin Minder <[email protected]> wrote: > Ok did a bit more digging and it looks like the Shiro LDAP Realm we are > using does not implement StartTLS. It seems as though other Shiro Realm > implementations do as evidence here > > http://jmchung.github.io/blog/2014/10/03/integrating-shiro-with-cas-authentication-via-ldap/ > But I see no evidence that the JndiLdapRealm upon which the KnoxLdapRealm > is based has the code described here for StartTLS support. > https://docs.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html > This would be a valuable are for you to contribute to either Knox or Shiro > if this capability is important for your use case. > Also note that LDAPS should provide equivalent security. > > From: Aneela Saleem > Reply-To: "[email protected]" > Date: Monday, July 27, 2015 at 11:07 AM > > To: "[email protected]" > Subject: Re: Apache Knox Web API > > I just tried to enable startTLS for LDAP. I just followed this link: > > > https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls > > On Mon, Jul 27, 2015 at 8:02 PM, Kevin Minder < > [email protected]> wrote: > >> Well what have you changed since it last worked? >> >> From: Aneela Saleem >> Reply-To: "[email protected]" >> Date: Monday, July 27, 2015 at 11:01 AM >> >> To: "[email protected]" >> Subject: Re: Apache Knox Web API >> >> But what could be the issue as it was working fine before >> >> On Mon, Jul 27, 2015 at 7:35 PM, Kevin Minder < >> [email protected]> wrote: >> >>> In the development branch (called master) we have added several >>> features to help diagnose LDAP issues. However to take advantage of these >>> you will need to build Knox from source as these features are not yet >>> included in an official release. >>> >>> From: Aneela Saleem >>> Reply-To: "[email protected]" >>> Date: Monday, July 27, 2015 at 10:26 AM >>> >>> To: "[email protected]" >>> Subject: Re: Apache Knox Web API >>> >>> But i did not get your point >>> >>> On Mon, Jul 27, 2015 at 7:22 PM, Kevin Minder < >>> [email protected]> wrote: >>> >>>> I believe the default LDAP port is 389. Is your OpenLDAP server >>>> listening on 389? >>>> >>>> Otherwise would it be possible for you to build and use the master >>>> branch version of Knox. We have recently added several LDAP diagnostics >>>> that might help us here. >>>> >>>> From: Aneela Saleem >>>> Reply-To: "[email protected]" >>>> Date: Monday, July 27, 2015 at 10:14 AM >>>> To: "[email protected]" >>>> Subject: Re: Apache Knox Web API >>>> >>>> Hi Kevin, >>>> >>>> I'm using OpenLDAP >>>> >>>> On Mon, Jul 27, 2015 at 6:59 PM, Kevin Minder < >>>> [email protected]> wrote: >>>> >>>>> I’m suspecting this >>>>> <param> >>>>> <name>main.ldapRealm.contextFactory.url</name> >>>>> <value>ldap://localhost</value> >>>>> </param> >>>>> What LDAP server are you using? >>>>> >>>>> From: Aneela Saleem >>>>> Reply-To: "[email protected]" >>>>> Date: Sunday, July 26, 2015 at 2:53 PM >>>>> To: "[email protected]" >>>>> Subject: Re: Apache Knox Web API >>>>> >>>>> <param> >>>>> <name>main.ldapRealm.contextFactory.url</name> >>>>> <value>ldap://localhost</value> >>>>> </param> >>>>> >>>> >>>> >>> >> >
