StartTLS for LDAP queries

Description

http://www.igniterealtime.org/community/message/196602

This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.

There are a few drawbacks when using TLS instead of SSL:

  • The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.

  • Context.REFERRAL = "follow" is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).

  • checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).

  • You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.

I am currently testing it with openfire 3.6.4 against Active Directory's LDAP service.

Greetings,

Daniel

Environment

None

Activity

Show:
Guus der Kinderen
January 11, 2010, 12:02 AM

Applied patch with minor changes (to make use of java generics, updated license header).

Sebastian Wendel
October 11, 2015, 4:20 PM

Just added some notes to the corresponding community thread:

https://community.igniterealtime.org/thread/48391

Feature was not fully integrated.

Fixed

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Minor
Configure