Reputation: 275
Authenticate via LDAP fails when using TLS
I found several discussions about this issue in the net but none of them worked for me.
I am trying to authenticate via LDAP using TLS connection.
I get contradicted responses when using ldapsearch command and Java code.
In the ldapsearch command, searching with TLS works and fails without it,
While in the Java code the standard LDAPS connection works and TLS fails.
Here's the ldapsearch results:
With TLS:
/usr/bin/ldapsearch -h ldap.server.com -Z -x -D "#BIND_DN#" -W -b "#SEARCH_BASE#" -s sub "(cn=#USERNAME#)"
Enter LDAP Password: XXXXXXXX
....
mail: [email protected]
result: 0 Success
Without TLS:
/usr/bin/ldapsearch -h ldap.server.com -p 636 -x -D "#BIND_DN#" -W -b "#SEARCH_BASE#" -s sub "(cn=#USERNAME#)"
Enter LDAP Password: XXXXXXXXX
ldap_result: Can't contact LDAP server (-1)
And here are the Java results:
Without TLS:
>>java -cp lib com.myapp.toolkit.auth.LDAPTestKit
[LDAPTestKit] found authenContext.
[LDAPTestKit] Authentication Success
[LDAPTestKit] Found attributes:
[LDAPTestKit] mail : [email protected]
....
With TLS:
>>java -cp lib com.myapp.toolkit.auth.LDAPTestKit
ERROR [main] [] [LDAPTestKit] Initial binding - Failure
[LDAP: error code 1 - TLS already started]
javax.naming.NamingException: [LDAP: error code 1 - TLS already started]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3107)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3192)
at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:164)
I use the following code:
bindEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
bindEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
bindEnv.put(Context.REFERRAL, "follow");
bindEnv.put(Context.PROVIDER_URL, "ldaps://ldap.server.com:636");
bindEnv.put("java.naming.security.principal", "#BIND_DN#");
bindEnv.put("java.naming.security.credentials", "#BIND_PASS#");
LdapContext bindCtx = new InitialLdapContext(bindEnv, null);
// So far O.K
StartTlsResponse tls = (StartTlsResponse) bindCtx.extendedOperation(new StartTlsRequest());
// Exception!!!
tls.negotiate();
I tried it with "ldap://" instead of "ldaps://" but got the same response.
Is it a certificate issue? Or is there anything I am missing in the code?
Thanks
Upvotes: 4
Views: 12067
Answers (2)
Reputation: 4876
The StartTLS extended operation is meant to establish the TLS layer over an existing plain LDAP connection. As Balint Bako pointed out yesterday, it is not needed if you are connecting to LDAPS, i.e. establishing a TLS connection to the socket to use LDAP.
Upvotes: 5
Reputation: 11056
Check out the JNDI Example
We have used their example with good outcomes.
Upvotes: 2
Related Questions
- How to connect LDAP with TLS by JAVA
- How to authenticate against Active Directory via LDAP over TLS?
- SSLHandshakeException while connection to LDAPS(Active Directory)
- Java 7 with TLSv1.2 connect to LDAPS handshake failure
- ldap Authentication Error from java program
- LDAPConnection (org.apache.directory.ldap.client.api.LdapConnection) fails on ssl
- LDAP Authentication Issue
- AuthenticationException LDAP using plain Java
- Implementing LDAP over TLS
- java program unable to authenticate against ldap