[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP/TLS+SASL (mech: EXTERNAL) with JNDI



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I am implementing a custom Java LDAP library for our custom needs, and
now I am at the point where I have to write the methods for a TLS
authentication.

I am searching for a solution since yesterday in the morning, but
nothing matched. All found standard examples break with more or less
heavy exceptions.

I must connect to an OpenLDAP 2.4.x with complete TLS/SASL
authentication, meaning the same thing like

	ldapsearch -T EXTERNAL -ZZ [...]

It works well with my certs on CLI, but all tested Java implementations
did not work properly yet.

The best result I get at the moment, where I receive *only* one exception:

[...]
LDAP server connection URL:
ldap://kungfu.in.siegnetz.de:389/dc=kungfu-local,dc=net
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 7 -
SASL(-4): no mechanism available: ]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2602)
	at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3156)
	at
javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:164)
	at
de.siegnetz.ldaptools.connection.LDAPServerConnection.open(LDAPServerConnection.java:295)
	at de.siegnetz.test.SomeLdapTests.ldap_test1(SomeLdapTests.java:29)
	at de.siegnetz.test.SomeLdapTests.main(SomeLdapTests.java:13)
dn: uid=dkent,ou=users,ou=Siegen,dc=kungfu-local,dc=net
sambaPrimaryGroupSID: S-1-5-21-3205579064-1077270308-3928157200-513
sambaDomainName: KUNGFU-NET
displayName: Kent, Dark (the sincerly unknown evil twin)
givenName: Dark
[...]

where the interesting thing is, that, as you can see, the searchresult
of the JNDI request is printed out, broke by the exception.

TLS section in slapd.conf looks like this:
TLSCertificateFile      /etc/openldap/certs/kungfu-cert.pem
TLSCertificateKeyFile   /etc/openldap/certs/kungfu-key.pem
TLSCACertificateFile    /etc/openldap/certs/kungfu_ca.pem
TLSVerifyClient         demand

I try to use it with a TinyCA2 created cert with 4096Bit RSA, exported
as [...].pem cert and key files for the client + the ca.cert and the
server cert and key.

Is there perhaps a special X509 format that has to be used? Or are there
other traps when using Java and OpenLDAP?
I first used the library found here on the page, but I thought it would
not fit my needs, because it did neither not work properly.

Is there anyone out there who can help me on that issue?

Thanks in advance and best regards
Stefan



- --

S T E F A N   J U R I S C H
- --------------------------------
System Engineer - VMware Support

SIEGNETZ.IT GmbH
Schneppenkauten 1a
D-57076 Siegen

Tel. +49 271 68193- 0
Fax: +49 271 68193-28

http://www.siegnetz.de


Amtsgericht Siegen HRB4838
Geschäftsführer: Oliver Seitz
Sitz der Gesellschaft ist Siegen

- --------------------------------

Das Wort "WINDOWS" stammt aus
einem alten Sioux-Dialekt und
bedeutet:
"Weißer Mann starrt durch
Glasscheibe auf Sanduhr."

- --------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkrgD8AACgkQqdb99cbyCz4fMACdEG25Vo2LCTN+jZbX4dDIEtYs
qGkAn2iDEQ7j9fO1oEb4RrXaOVpXLJPz
=Jks5
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.