Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAPv3: StartTLS extended operation causes strange behavior

43 views
Skip to first unread message

Ezra Epstein

unread,
Jul 8, 2005, 5:12:29 PM7/8/05
to
We've got a simple example config that's trying to use TLS instead of SSL
to connect to an AD 2003 domain.

Note: the target machine is running Windows 2003 Server -- which is
required to support the StartTLS ext. op. as is the client.

Problems:
1. It doesn't work -- that's our work to debug it, but...
2. calling tls.close() doesn't revert to the underlying context (LDAP
connection) as it should. Is that a Java JRE bug or a bug in IBM's
implementation?? c.f.,
http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/ldap/StartTlsRequest.html
3. The problem form #2 results in an unhappy dysfunctional connection
and the reconnect feature gets confused: tries only 1 reconnect though
we've specified 5 tries in the confi.

Any help?

Thanks,

= Ezra

Config follows:
=============================================
<?xml version="1.0" encoding="UTF-8"?>
<MetamergeConfig created="Fri Jul 08 14:09:27 PDT 2005"
createdBy="eepstein" modified="Fri Jul 08 14:14:59 PDT 2005"
modifiedBy="eepstein" version="1.1">
<Folder name="AssemblyLines">
<AssemblyLine name="starttls">
<LogEnabled>true</LogEnabled>
<Settings>
<parameter name="ALPoolSettingsDialog">showALPoolSettings</parameter>
<parameter name="ScriptEngine">JavaScript</parameter>
<parameter name="automapattributes">false</parameter>
<parameter name="debug">false</parameter>
<parameter name="includeGlobalPrologs">true</parameter>
<parameter name="nullBehaviorDialog">showNullBehavior</parameter>
</Settings>
<Hooks/>
<CheckpointConfig/>
<SandboxConfig/>
<LogConfig/>
<ContainerEF name="EntryFeedContainer"/>
<ContainerDF name="DataFlowContainer">
<Connector name="ad_ldap_tls">
<InheritFrom>system:/Connectors/ibmdi.LDAP</InheritFrom>
<ConnectorMode>Lookup</ConnectorMode>
<ConnectorState>Enabled</ConnectorState>
<Configuration>
<InheritFrom>[parent]</InheritFrom>
<parameter name="automapADPassword">false</parameter>
<parameter name="debug">false</parameter>
<parameter name="ldapAddAttr">false</parameter>
<parameter name="ldapAuthenticationMethod">Simple</parameter>
<parameter name="ldapPageSize">0</parameter>
<parameter name="ldapReferrals">follow</parameter>
<parameter
name="ldapSearchBase">cn=users,DC=coreservices,DC=org</parameter>
<parameter name="ldapSearchFilter">objectclass=*</parameter>
<parameter name="ldapSearchScope">subtree</parameter>
<parameter name="ldapSizeLimit">0</parameter>
<parameter name="ldapTimeLimit">0</parameter>
<parameter name="ldapUrl">ldap://10.4.29.113:389</parameter>
<parameter name="ldapUseSSL">false</parameter>
<parameter
name="ldapUsername">cn=Administrator,cn=users,DC=coreservices,DC=org</parameter>
<parameter name="ldapVLVPageSize">0</parameter>
<parameter name="simulateRename">true</parameter>
<parameter name="userComment"></parameter>
</Configuration>
<ComputeChanges>true</ComputeChanges>
<DeltaBehavior>0</DeltaBehavior>
<DeltaStrict>true</DeltaStrict>
<Parser>
<InheritFrom>[parent]</InheritFrom>
</Parser>
<AttributeMap name="Input">
<InheritFrom>[parent]</InheritFrom>
<AttributeMapItem>
<Name>*</Name>
<Type>simple</Type>
<Enabled>true</Enabled>
<Add>true</Add>
<Modify>true</Modify>
<Script></Script>
<Simple>*</Simple>
</AttributeMapItem>
</AttributeMap>
<AttributeMap name="Output">
<InheritFrom>[parent]</InheritFrom>
</AttributeMap>
<DeltaSettings>
<Driver>CloudScape</Driver>
</DeltaSettings>
<Schema name="Input">
<InheritFrom>[parent]</InheritFrom>
</Schema>
<Schema name="Output">
<InheritFrom>[parent]</InheritFrom>
</Schema>
<LinkCriteria>
<InheritFrom>[parent]</InheritFrom>
<LinkCriteriaItem>
<Key>104f81bd682</Key>
<Attribute>cn</Attribute>
<Operator>equals</Operator>
<Value>administrator</Value>
</LinkCriteriaItem>
</LinkCriteria>
<Hooks>
<InheritFrom>[parent]</InheritFrom>
<Hook>
<Name>after_initialize</Name>
<Script><![CDATA[task.logmsg("AFTER INITIALIZE");

// Disable this hook and everything works.
// Keep this hook enabled and nothing works:
// 1. starttls problem
// 2. when we call tls.close() the connection does not revert back to ctx
as it should.
// 3. The Reconnect feature is not working: the error is only detected as
a connection failure 1x, though we specify to retry the conn 5x.

try{
var ctx = thisConnector.connector.getLdapContext();
tls = ctx.extendedOperation(new
Packages.javax.naming.ldap.StartTlsRequest());

task.logmsg("calling negotiate()");
tls.negotiate();
task.logmsg("FANFARE: did negotiate()");
} catch (E) {
task.logmsg("Closing TLS...");
tls.close();
tls=null;
task.logmsg("Connection will not be encrypted...");

task.logmsg(E);
}
]]></Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>before_initialize</Name>
<Script>var tls=null</Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>default_fail</Name>
<Script><![CDATA[task.logmsg(error);

if (tls != null) {
tls.close();
tls=null;
}
]]></Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>default_ok</Name>
<Script><![CDATA[task.logmsg("SUCCESS!!!");
if (tls != null) {
tls.close();
tls=null;
}

task.dumpEntry(work);]]></Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>on_connection_failure</Name>
<Script>task.logmsg(error);</Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
</Hooks>
<CheckpointConfig/>
<SandboxConfig/>
<Reconnect>
<parameter name="autoreconnect">true</parameter>
<parameter name="numberOfRetries">5</parameter>
<parameter name="retryDelay">10</parameter>
</Reconnect>
</Connector>
</ContainerDF>
<ThreadOptions/>
<CallReturn>
<Schema name="Input"/>
<Schema name="Output"/>
<AttributeMap name="Output"/>
<AttributeMap name="Input"/>
</CallReturn>
</AssemblyLine>
</Folder>
<Folder name="Connectors"/>
<Folder name="Parsers"/>
<Folder name="EventHandlers"/>
<Folder name="Scripts"/>
<JavaLibraries/>
<JavaProperties/>
<Folder name="Includes"/>
<Folder name="ExternalProperties">
<ExternalProperties name=" Default">
<Encrypted>false</Encrypted>
</ExternalProperties>
</Folder>
<Folder name="Config">
<LogConfig name="Logging"/>
<InstanceProperties name="AutoStart">
<AutoStart/>
</InstanceProperties>
</Folder>
<Folder name="Functions"/>
<Folder name="AttributeMaps"/>
</MetamergeConfig>


Ezra Epstein

unread,
Jul 8, 2005, 7:50:14 PM7/8/05
to
Partial solutions:

1. TLS, like SSL *does* need all certs installed when connecting to AD.
2. One has to rebind() after close(). I don't know whether this is a bug,
it seems odd to me and isn't in Sun's 1.4.2 API docs.
3. Certain types of exceptions that probably *should* trigger a reconnect
attempt are instead caught as general exceptions. I don't know whether
that's a good thing or not.

= Ezra E.

jmc...@us.ibm.com

unread,
Jul 12, 2005, 5:17:12 PM7/12/05
to
Particular implementations of Start TLS (either client or server) may be
taking the liberty of dropping the connection when TLS is closed. In
theory, the Start TLS specification allows for you to switch back and
forth over a single connection, but I wouldn't count on it.

John

0 new messages