StartTLS for LDAP queries

Description

http://www.igniterealtime.org/community/message/196602

This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.

There are a few drawbacks when using TLS instead of SSL:

  • The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.

  • Context.REFERRAL = "follow" is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).

  • checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).

  • You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.

I am currently testing it with openfire 3.6.4 against Active Directory's LDAP service.

Greetings,

Daniel

Environment

None

Activity

Show:
Sebastian Wendel
October 11, 2015, 4:20 PM

Just added some notes to the corresponding community thread:

https://community.igniterealtime.org/thread/48391

Feature was not fully integrated.

Guus der Kinderen
January 11, 2010, 12:02 AM

Applied patch with minor changes (to make use of java generics, updated license header).

Fixed

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann