Announcement Announcement Module
Collapse
No announcement yet.
TLS with LdapTemplate Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • TLS with LdapTemplate

    Attached to TLS and Authentication post since that is relevant.
    Last edited by mmshanka; Nov 5th, 2010, 06:08 PM.

  • #2
    Had to add the note back here. Pls add notes if anyone has successfully used the following and got it to work.

    I have been using 1.2 version and we finally decided to support TLS since 1.3 now provides a way to do this. We have been using ldaptemplate for all the queries. Here is what I have:

    final LdapContextSource context = configureContextSource();
    final SpringSecurityLdapTemplate template =
    new SpringSecurityLdapTemplate( context );

    // Active Directory doesn’t transparently handle referrals. This fixes that.
    template.setIgnorePartialResultException(true);

    // Searching for classSchema since we expect this to be present as a part of all the LDAP Schemas.
    // This should help us confirm that the LDAP connection related params are all fine.
    template.searchForSingleAttributeValues(…..);

    ——————————-
    private LdapContextSource configureContextSource() throws DirectoryServiceConfigurationException {

    MyTlsDirContextAuthenticationStrategy authenticationStrategy =
    new MyTlsDirContextAuthenticationStrategy();

    final String url = buildLdapURL();
    LdapContextSource ctxSrc = new LdapContextSource();
    ctxSrc.setUrl(url);
    ctxSrc.setCacheEnvironmentProperties(false);

    if(!ldapConfig.get(LDAP_USE_ANONYMOUS_BIND).getPre ferenceValueBoolean()) {
    ctxSrc.setUserDn(ldapConfig.get(LDAP_BIND_DN).getP referenceValue());
    ctxSrc.setPassword(ldapConfig.get(LDAP_BIND_PASSWO RD).getPreferenceValue());
    }

    ctxSrc.setAuthenticationStrategy(authenticationStr ategy);

    try {
    ctxSrc.afterPropertiesSet();
    } catch (final Exception ex) {
    log.error(ErrorCode.LDAP_INIT_SECURITYCONTEXT_FAIL ED.getCodeString() +
    ErrorCode.LDAP_INIT_SECURITYCONTEXT_FAILED.getDesc ription(), ex);
    throw new DirectoryServiceConfigurationException(ErrorCode.L DAP_INIT_SECURITYCONTEXT_FAILED.getDescription(),
    ErrorCode.LDAP_INIT_SECURITYCONTEXT_FAILED.getCode ());
    }

    return ctxSrc;
    }

    ——————-

    MyTlsDirContextAuthenticationStrategy is extended from DefaultTlsDirContextAuthenticationStrategy only to set the system properties for keystore and other related properties.

    I have a open Ldap server setup to support TLS. Code looks much more clean to me. However, when the template.searchForSingleAttributeValues(…..); is invoked, it complains of TLS already started.

    I drilled down more and found that,

    LdapTemplate.search(……) –> AbstractContextSource.getReadOnlyContext() –> AbstractContextSource.getContext(String principal, String credentials) –> authenticationStrategy.processContextAfterCreation (…)

    will now try to Start TLS again and fails since it is already started and the exception is thrown which results in search failure.

    I am not seeing a way I can bypass this issue since every operation on the LdapTemplate will try to obtain a ReadOnlyContext and will fail at the same place since TLS is already started. I don’t think this will go away since LdapTemplate is very specific to Spring-ldap.

    However, please suggest a workaround if possible or other ideas/suggestions.

    --------------------------------------

    On a different note, extending the LdapContextSource in 1.2 to support TLS worked fine in the first instance of starting TLS. However, subsequent changes to the properties or removing the keystore has no effect on the context that was established in the first attempt.

    Seems to me like something is being cached. I tried removing pooling and not caching environment properties, but the issue doesn’t seem to go away. On restarting my server, the issue gets resolved and the new context I obtain behaves as expected.

    Can’t seem to understand what may be going wrong. Suggestions are welcome.

    Comment

    Working...
    X