StartTLS for LDAP queries

Description

This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.

There are a few drawbacks when using TLS instead of SSL:

The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.
Context.REFERRAL = "follow" is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).
checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).
You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.

I am currently testing it with openfire 3.6.4 against Active Directory's LDAP service.

Greetings,

Daniel

None

None

Show:

Guus der Kinderen

January 11, 2010, 12:02 AM

Copy link to comment

Applied patch with minor changes (to make use of java generics, updated license header).

Sebastian Wendel

October 11, 2015, 4:20 PM

Copy link to comment

Just added some notes to the corresponding community thread:

Feature was not fully integrated.

Guus der Kinderen

Daryl Herzmann

None

None

None

Minor

Configure