Announcement Announcement Module
Collapse
No announcement yet.
EXTERNAL binding to LDAP Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • EXTERNAL binding to LDAP

    I'm trying to bind to an LDAP server over SSL using the application server's certificate, rather than simple userDn/password binding. Sun's JNDI page describes this process here http://java.sun.com/products/jndi/tu....html#EXTERNAL. My understanding from the reference manual was that I could use ExternalTlsDirContextAuthenticationStrategy, as long as I set the certificate keystore and trust store in the system environment. However, I am unable to get this to work, as I receive the following error:

    javax.naming.NamingException: [LDAP: error code 1 - SSL: connection already established.]

    Here's an example code that's causing this error:

    Code:
    public class Test
    {
      public static void main(String args[])
      {
        
        System.setProperty("javax.net.ssl.keyStore", "<path_to_keyStore.jks>");
        System.setProperty("javax.net.ssl.keyStorePassword", "<jks_password>");
        System.setProperty("javax.net.ssl.trustStore", "<path_to_trustStore.jks>");
        System.setProperty("javax.net.ssl.trustStorePassword", "<jks_password>");
        
        LdapContextSource ctx = new LdapContextSource();
        ctx.setUrl("ldaps://localhost:636");
        ctx.setBase("ou=system");
        ctx.setPooled(false);
        ctx
            .setAuthenticationStrategy(new ExternalTlsDirContextAuthenticationStrategy());
    
        ctx.afterPropertiesSet();
        ctx.getReadWriteContext();
    
        LdapTemplate ldapTemplate = new LdapTemplate(ctx);
        List results = ldapTemplate.search("ou=users", "(cn=John Doe)",
            new AttributesMapper()
            {
              public Object mapFromAttributes(Attributes attrs)
                  throws NamingException
              {
                return attrs.get("cn").get();
              }
            });
    
        System.out.println(results);
      }
    }
    When I change this to use userDn/password and remove the External Authentication Strategy, everything works just fine. I really don't want to bind with userDn/password so any help would be appreciated.

  • #2
    I was able to find a workaround, but I'm not sure about the ramifications. It seems the AbstractTlsDirContextAuthenticationStrategy. processContextAfterCreation() method makes a call to ldapContext.extendedOperation(new StartTlsRequest()). This call seems to initiate a connection to the LDAP, which explains the aforementioned error:

    javax.naming.NamingException: [LDAP: error code 1 - SSL: connection already established.]

    Any suggestions for follow up on how to best approach this issue would be much appreciated. For now, I've written my own implementation of DirContextAuthenticationStrategy which simply sets "EXTERNAL" security authentication in the DirContext environment.

    Comment

    Working...
    X