Note: the target machine is running Windows 2003 Server -- which is
required to support the StartTLS ext. op. as is the client.
Problems:
1. It doesn't work -- that's our work to debug it, but...
2. calling tls.close() doesn't revert to the underlying context (LDAP
connection) as it should. Is that a Java JRE bug or a bug in IBM's
implementation?? c.f.,
http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/ldap/StartTlsRequest.html
3. The problem form #2 results in an unhappy dysfunctional connection
and the reconnect feature gets confused: tries only 1 reconnect though
we've specified 5 tries in the confi.
Any help?
Thanks,
= Ezra
Config follows:
=============================================
<?xml version="1.0" encoding="UTF-8"?>
<MetamergeConfig created="Fri Jul 08 14:09:27 PDT 2005"
createdBy="eepstein" modified="Fri Jul 08 14:14:59 PDT 2005"
modifiedBy="eepstein" version="1.1">
<Folder name="AssemblyLines">
<AssemblyLine name="starttls">
<LogEnabled>true</LogEnabled>
<Settings>
<parameter name="ALPoolSettingsDialog">showALPoolSettings</parameter>
<parameter name="ScriptEngine">JavaScript</parameter>
<parameter name="automapattributes">false</parameter>
<parameter name="debug">false</parameter>
<parameter name="includeGlobalPrologs">true</parameter>
<parameter name="nullBehaviorDialog">showNullBehavior</parameter>
</Settings>
<Hooks/>
<CheckpointConfig/>
<SandboxConfig/>
<LogConfig/>
<ContainerEF name="EntryFeedContainer"/>
<ContainerDF name="DataFlowContainer">
<Connector name="ad_ldap_tls">
<InheritFrom>system:/Connectors/ibmdi.LDAP</InheritFrom>
<ConnectorMode>Lookup</ConnectorMode>
<ConnectorState>Enabled</ConnectorState>
<Configuration>
<InheritFrom>[parent]</InheritFrom>
<parameter name="automapADPassword">false</parameter>
<parameter name="debug">false</parameter>
<parameter name="ldapAddAttr">false</parameter>
<parameter name="ldapAuthenticationMethod">Simple</parameter>
<parameter name="ldapPageSize">0</parameter>
<parameter name="ldapReferrals">follow</parameter>
<parameter
name="ldapSearchBase">cn=users,DC=coreservices,DC=org</parameter>
<parameter name="ldapSearchFilter">objectclass=*</parameter>
<parameter name="ldapSearchScope">subtree</parameter>
<parameter name="ldapSizeLimit">0</parameter>
<parameter name="ldapTimeLimit">0</parameter>
<parameter name="ldapUrl">ldap://10.4.29.113:389</parameter>
<parameter name="ldapUseSSL">false</parameter>
<parameter
name="ldapUsername">cn=Administrator,cn=users,DC=coreservices,DC=org</parameter>
<parameter name="ldapVLVPageSize">0</parameter>
<parameter name="simulateRename">true</parameter>
<parameter name="userComment"></parameter>
</Configuration>
<ComputeChanges>true</ComputeChanges>
<DeltaBehavior>0</DeltaBehavior>
<DeltaStrict>true</DeltaStrict>
<Parser>
<InheritFrom>[parent]</InheritFrom>
</Parser>
<AttributeMap name="Input">
<InheritFrom>[parent]</InheritFrom>
<AttributeMapItem>
<Name>*</Name>
<Type>simple</Type>
<Enabled>true</Enabled>
<Add>true</Add>
<Modify>true</Modify>
<Script></Script>
<Simple>*</Simple>
</AttributeMapItem>
</AttributeMap>
<AttributeMap name="Output">
<InheritFrom>[parent]</InheritFrom>
</AttributeMap>
<DeltaSettings>
<Driver>CloudScape</Driver>
</DeltaSettings>
<Schema name="Input">
<InheritFrom>[parent]</InheritFrom>
</Schema>
<Schema name="Output">
<InheritFrom>[parent]</InheritFrom>
</Schema>
<LinkCriteria>
<InheritFrom>[parent]</InheritFrom>
<LinkCriteriaItem>
<Key>104f81bd682</Key>
<Attribute>cn</Attribute>
<Operator>equals</Operator>
<Value>administrator</Value>
</LinkCriteriaItem>
</LinkCriteria>
<Hooks>
<InheritFrom>[parent]</InheritFrom>
<Hook>
<Name>after_initialize</Name>
<Script><![CDATA[task.logmsg("AFTER INITIALIZE");
// Disable this hook and everything works.
// Keep this hook enabled and nothing works:
// 1. starttls problem
// 2. when we call tls.close() the connection does not revert back to ctx
as it should.
// 3. The Reconnect feature is not working: the error is only detected as
a connection failure 1x, though we specify to retry the conn 5x.
try{
var ctx = thisConnector.connector.getLdapContext();
tls = ctx.extendedOperation(new
Packages.javax.naming.ldap.StartTlsRequest());
task.logmsg("calling negotiate()");
tls.negotiate();
task.logmsg("FANFARE: did negotiate()");
} catch (E) {
task.logmsg("Closing TLS...");
tls.close();
tls=null;
task.logmsg("Connection will not be encrypted...");
task.logmsg(E);
}
]]></Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>before_initialize</Name>
<Script>var tls=null</Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>default_fail</Name>
<Script><![CDATA[task.logmsg(error);
if (tls != null) {
tls.close();
tls=null;
}
]]></Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>default_ok</Name>
<Script><![CDATA[task.logmsg("SUCCESS!!!");
if (tls != null) {
tls.close();
tls=null;
}
task.dumpEntry(work);]]></Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
<Hook>
<Name>on_connection_failure</Name>
<Script>task.logmsg(error);</Script>
<Enabled>true</Enabled>
<DebugBreak>false</DebugBreak>
</Hook>
</Hooks>
<CheckpointConfig/>
<SandboxConfig/>
<Reconnect>
<parameter name="autoreconnect">true</parameter>
<parameter name="numberOfRetries">5</parameter>
<parameter name="retryDelay">10</parameter>
</Reconnect>
</Connector>
</ContainerDF>
<ThreadOptions/>
<CallReturn>
<Schema name="Input"/>
<Schema name="Output"/>
<AttributeMap name="Output"/>
<AttributeMap name="Input"/>
</CallReturn>
</AssemblyLine>
</Folder>
<Folder name="Connectors"/>
<Folder name="Parsers"/>
<Folder name="EventHandlers"/>
<Folder name="Scripts"/>
<JavaLibraries/>
<JavaProperties/>
<Folder name="Includes"/>
<Folder name="ExternalProperties">
<ExternalProperties name=" Default">
<Encrypted>false</Encrypted>
</ExternalProperties>
</Folder>
<Folder name="Config">
<LogConfig name="Logging"/>
<InstanceProperties name="AutoStart">
<AutoStart/>
</InstanceProperties>
</Folder>
<Folder name="Functions"/>
<Folder name="AttributeMaps"/>
</MetamergeConfig>
1. TLS, like SSL *does* need all certs installed when connecting to AD.
2. One has to rebind() after close(). I don't know whether this is a bug,
it seems odd to me and isn't in Sun's 1.4.2 API docs.
3. Certain types of exceptions that probably *should* trigger a reconnect
attempt are instead caught as general exceptions. I don't know whether
that's a good thing or not.
= Ezra E.
John