Hi Igor,
On 15.08.2010 16:14, Igor Galić wrote:
Hi folks,
I'm running Hudson in Tomcat 6.0.29 on Debian/Squeeze/amd64 with
i.ga...@pheme /opt/tomcat6 % java -version
java version "1.6.0_18"
OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-1)
OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode)
I'm starting the server with:
CATALINA_OPTS-"-Djava.awt.headless=true -Djavax.net.debug=ssl:handshake
-DHUDSON_HOME=${CATALINA_HOME}/webapps/hudson -Xmx512m"
In server.xml's Engine context there is a single JNDI Realm configured:
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://mail.brainsware.org:389/";
alternateURL="ldap://mail.esotericsystems.at:389";
commonRole="admin" connectionName="uid=whatever"
connectionPassword="securityisgreat."
userBase="ou=people,dc=brainsware,dc=org"
userPattern="(uid={0})(postOfficeBox=internal_projects)"
userSearch="(uid={0})" />
The LDAP server I'm connecting to is Zimbra (OpenLDAP), and requires StartTLS.
It has a valid Certificate, signed by Go Daddy.
I've made sure that all parts of Go Daddy's chain are in the JVM's cacerts.
When starting the server, I see this in the log:
INFO: Starting Servlet Engine: Apache Tomcat/6.0.29
Aug 15, 2010 2:04:18 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 -
confidentiality required]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3023)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.<init>(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1954)
at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2045)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
at
org.apache.catalina.core.StandardService.start(StandardService.java:519)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
I've traced the operation with wireshark only to find it's not even trying to
do any kind of SASL negotiation.
That seems weird, since:
http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-com.sun/jndi/com/sun/jndi/ldap/LdapClient.java.htm
suggests it should be doing that by default.
I'm out ideas now. and welcome any advise you can offer.
So long o/~
Never used it, but wouldn't you configure "ldaps://" URLs instead of
"ldap://"; URLs? And maybe also using Port 636 instead of 389 (or
removing the port to use it as the default port).
No idea about SASL though.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
