-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Michael,
On 1/9/20 2:21 AM, Michael Osipov wrote:
> Am 2020-01-09 um 01:34 schrieb Christopher Schultz:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> All,
>>
>> For anyone who has experience with LDAP in Java, I need a little
>> help. I have some code connecting to an LDAP server and doing all
>> the wonderful things I want to do, but I'd like to customize the
>> SSLSocket(Factory) that gets used by the connection to e.g. limit
>> the cipher suites, provide client certs, a custom trust store,
>> etc.
>>
>> I've done some Googling and it looks like I can do this:
>>
>> props.put("java.naming.ldap.factory.socket",
>> "com.example.CustomSSLSocketFactory" );
>>
>> But that means that my CustomSSLSocketFatory class must have
>> hard-coded (or statically set) values for the various settings.
>> Yuck.
>>
>> The Tomcat code (for JNDIRealm) supports customization for
>> STARTTLS, and that appears to be able to use a custom
>> SSLSocketFactory *instance*. But it looks like that requires the
>> use of STARTTLS which I do not need. I'm working with
>> LDAP-over-TLS.
>>
>> Has anyone worked with Java's LDAP code enough to know if this
>> is possible and/or how to do it? I know I can fall-back to a
>> hard-coded or statically-configured SSLSocketFactory class but
>> I'd prefer something a little more explicitly-configurable.
>
> Chris,
>
> STARTTLS != LDAPS.
Correct. I was trying to make it clear that I'd like to use TLS, not
STARTTLS. I see examples for setting an SSLSocketFactory for STARTTLS
(in Tomcat's code) but I do not want to go that route because I am
using actual TLS.
> STARTTLS is an LDAPv3 extension with its OID. The cients requests
> this in-band and the server, if supported, switches to it.
>
> Please clarify why you are mixing a custom socket with STARTTLS?
I am not.
> Do you want to customize the socket or modify the STARTTLS
> negotiation?
I want to specify the SSLSocketFactory *instance* to use (not just a
class name) for a real LDAP-over-TLS connection.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XblEACgkQHPApP6U8
pFighBAAgYYtd/oyH+LEX+zxY9E9FG5j+IUjDJr43bZIOVpu1YYV/hfKBe0D+N0O
fBcS7atr9+NC1ng+md9hKs2k3EE3G7DRowPXRRRZA/r4d1guPsCNCtUwGpq8aofi
OYKZExX8GIEQFq9vOutBvrssm19cmi2Qoa5inhth9SzSE/8Lb9ms8rVRF2EKt+SZ
7b5rHRmd2PlusoS5CuU/PJYgfWEJl6gqANT66S/vzpzdFtE/UjHKLtwbZN06eGOr
vhmGyx8V3gBuvsSpTqjdE/IPPo+zunUWB4VyRU7fyjIlzPunfEuBUv2yZ/Mt80VN
WQcPFYegx4jnV/wh3BhfJj6ScLLvjlL4UYVsmtloGwTh+hfO3C9cbC24J286akj8
udXBhutUQLeB65aOUZZ1T62FsU2u2Xe55+NVWgPZHZvcJS+yeTthg6D9AH4NKR6V
m87Se84DSaT1cd32R0A/H/A0N9pFG3+T6GHfGr/41EJZ3H8I5GRAMSTW4ZCQ7t/N
2hPbhLNASq5BFsmVuiEcjYdOiKPlUtiG2OKCRyQ+6qkKuaZTHiyR2ehuOH1bYAI8
gT1jaWGBkBH+g57aQbm+KRH97FVE0lRD0fPG75MO3W+xQZtrskukoHbjeaEgUilr
+VkPVn+uVqc582NT16Rk3o5ioEV/QN3WMlkHJmX2gttJ7BLRjuw=
=8aQe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
