On Mon, 16 Aug 2010 22:39:14 +0000 (UTC), Igor Galić <i.ga...@brainsware.org> wrote: > ----- "Felix Schumacher" <felix.schumac...@internetallee.de> wrote: > >> On Sun, 15 Aug 2010 21:33:09 +0000 (UTC), Igor Galić >> <i.ga...@brainsware.org> wrote: >> > ----- "Felix Schumacher" <felix.schumac...@internetallee.de> wrote: >> > >> >> Ok, my patch will not work, since new InitialDirContext(env) will >> not >> >> create a LdapContext, but a DirContext. You could try to change >> new >> >> InitialDirContext(env) into InitalLdapContext(env, null) as used >> in >> >> the >> >> sun startssl example. >> I have implemented a InitialContextFactory which does startTLS >> internally. >> >> That factory can be used with the standard JNDIRealm implementation. >> Just >> extend your original Realm with >> <Realm >> ... >> contextFactory="dummy.LdapTlsContextFactory" >> ... >> /> > > Following your advise, I compiled the source (within the tree) and extended > the configuration to this: > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldap://mail.brainsware.org:389/" > alternateURL="ldap://mail.esotericsystems.at:389" > commonRole="admin" connectionName="uid=whatever" > connectionPassword="securityisgreat." > userBase="ou=people,dc=brainsware,dc=org" > userPattern="(uid={0})(postOfficeBox=internal_projects)" > startTLS="true" > contextFactory="org.apache.naming.factory.LdapTlsContextFactory" > userSearch="(uid={0})" /> Either use the LdapTlsContextFactory, or the patched tomcat. Not both. I would advise to use the factory, since you can use a supported tomcat.
I had attached a second java class to my last mail, which you can use to test the connection to your ldap server without tomcat. You may have to specify a java keystore with your trusted certs. You can do this by specifying the java env variable -Djavax.net.ssl.trustStore=PATH_TO_MY/truststore.jks. If you want to learn more about the tls steps, you can specify -Djavax.net.debug=ssl. > > The wireshark trace still looks the same. > But the stacktrace is now two: > > INFO: Starting Servlet Engine: Apache Tomcat/6.0.0-dev > Aug 16, 2010 10:37:25 PM org.apache.catalina.realm.JNDIRealm open > WARNING: Exception performing authentication > javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - > confidentiality required] > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at > javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) > at > org.apache.naming.factory.LdapTlsContextFactory$ProxyLdapContext.<init>(LdapTlsContextFactory.java:31) > at > org.apache.naming.factory.LdapTlsContextFactory$ProxyLdapContext.<init>(LdapTlsContextFactory.java:25) > at > org.apache.naming.factory.LdapTlsContextFactory.getInitialContext(LdapTlsContextFactory.java:96) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at > javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) > at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1982) > at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2087) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) > at > org.apache.catalina.core.StandardService.start(StandardService.java:519) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:581) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Aug 16, 2010 10:37:26 PM org.apache.catalina.startup.Catalina start > SEVERE: Catalina.start: > LifecycleException: Exception opening directory server connection: > javax.naming.NotContextException: Not an instance of LdapContext > at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:2089) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) > at > org.apache.catalina.core.StandardService.start(StandardService.java:519) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:581) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Aug 16, 2010 10:37:26 PM org.apache.catalina.startup.Catalina start > INFO: Server startup in 538 ms That stacktrace is probably due to using both the patched realm and tls-enabled context factory. Bye Felix > > >> >> Bye >> Felix > > bye, > i --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org