Announcement Announcement Module
No announcement yet.
LDAP with TLS authentication issues Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP with TLS authentication issues

    I've recently had to add TLS to an existing implementation of ldap authentication. I checked out the documentation and it seemed pretty straight forward - just add a DefaultTlsDirContextAuthenticationStrategy into the existing DefaultSpringSecurityContextSource. This particular implementation just requires authentication, not authorisation, so uses simple bind authentication. It is also low volume so connection pooling is not required, so disabled connection pooling and set shutdownTlsGracefully to true.
    Testing against OpenLDAP I found there were 2 issues with this:
    1) The TLS interaction was being initiated with the server, but the user was not being authenticated - the bind did not appear to be happening. The logs from slapd for the non-TLS and TLS tests were:
    conn=32 fd=14 ACCEPT from IP= (IP=
    conn=32 op=0 BIND dn="uid=joe,ou=People,dc=blah,dc=com" method=128
    conn=32 op=0 BIND dn="uid=joe,ou=People,dc=blah,dc=com" mech=SIMPLE ssf=0
    conn=32 op=0 RESULT tag=97 err=0 text=
    conn=32 op=1 UNBIND
    conn=32 fd=14 closed
    conn=33 fd=14 ACCEPT from IP= (IP=
    conn=33 op=0 STARTTLS
    conn=33 op=0 RESULT oid= err=0 text=
    conn=33 fd=14 TLS established tls_ssf=128 ssf=128
    conn=33 fd=14 closed (connection lost)

    When I retried the user login with an incorrect password I got exactly the same behaviour and the user was authenticated when they should not have been.

    It appears that SimpleDirContextAuthenticationStrategy and DefaultTlsDirContextAuthenticationStrategy are not symmetrical in their behaviour. I resolved this be creating a custom TlsDirContextAuthenticationStrategy and adding a ctx.reconnect() to the applyAuthentication(), after the environment settings for a simple bind have been set, as follows:
    private void applyAuthentication(LdapContext ctx, String userDn, String password) throws NamingException {
    ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDn);
    ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
    // Force reconnect with user credentials

    2) In my initial testing I had an issue with the TLS connection not being closed correctly. When I checked out the source AbstractTlsDirContextAuthenticationStrategy.proces sContextAfterCreation() creates a context proxy instance if shutdownTlsGracefully is true. This context is returned by the method to AbstractContextSource, but it is discarded at that point, as follows:

    public DirContext getContext(String principal, String credentials) {
    DirContext ctx = createContext(getAuthenticatedEnv(principal, credentials));

    try {
    authenticationStrategy.processContextAfterCreation (ctx, principal, credentials);
    return ctx;
    // Should be
    return authenticationStrategy.processContextAfterCreation (ctx, principal, credentials);
    // So that the returned DirContext is the proxy the wraps TlsResponse.
    catch (NamingException e) {
    throw LdapUtils.convertLdapException(e);
    I have seen a few issues relating to problems executing multiple StartTLS operation calls to an LDAP server - this may be the cause.

    This applies to spring-ldap 1.3.1-RELEASE and spring-security-ldap 3.0.7-RELEASE (but seems the same in latest 3.1.4-RELEASE)