-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
I am implementing a custom Java LDAP library for our custom needs, and now I am at the point where I have to write the methods for a TLS authentication.
I am searching for a solution since yesterday in the morning, but nothing matched. All found standard examples break with more or less heavy exceptions.
I must connect to an OpenLDAP 2.4.x with complete TLS/SASL authentication, meaning the same thing like
ldapsearch -T EXTERNAL -ZZ [...]
It works well with my certs on CLI, but all tested Java implementations did not work properly yet.
The best result I get at the moment, where I receive *only* one exception:
[...] LDAP server connection URL: ldap://kungfu.in.siegnetz.de:389/dc=kungfu-local,dc=net javax.naming.AuthenticationNotSupportedException: [LDAP: error code 7 - SASL(-4): no mechanism available: ] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2602) at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3156) at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:164) at de.siegnetz.ldaptools.connection.LDAPServerConnection.open(LDAPServerConnection.java:295) at de.siegnetz.test.SomeLdapTests.ldap_test1(SomeLdapTests.java:29) at de.siegnetz.test.SomeLdapTests.main(SomeLdapTests.java:13) dn: uid=dkent,ou=users,ou=Siegen,dc=kungfu-local,dc=net sambaPrimaryGroupSID: S-1-5-21-3205579064-1077270308-3928157200-513 sambaDomainName: KUNGFU-NET displayName: Kent, Dark (the sincerly unknown evil twin) givenName: Dark [...]
where the interesting thing is, that, as you can see, the searchresult of the JNDI request is printed out, broke by the exception.
TLS section in slapd.conf looks like this: TLSCertificateFile /etc/openldap/certs/kungfu-cert.pem TLSCertificateKeyFile /etc/openldap/certs/kungfu-key.pem TLSCACertificateFile /etc/openldap/certs/kungfu_ca.pem TLSVerifyClient demand
I try to use it with a TinyCA2 created cert with 4096Bit RSA, exported as [...].pem cert and key files for the client + the ca.cert and the server cert and key.
Is there perhaps a special X509 format that has to be used? Or are there other traps when using Java and OpenLDAP? I first used the library found here on the page, but I thought it would not fit my needs, because it did neither not work properly.
Is there anyone out there who can help me on that issue?
Thanks in advance and best regards Stefan
- --
S T E F A N J U R I S C H - -------------------------------- System Engineer - VMware Support
SIEGNETZ.IT GmbH Schneppenkauten 1a D-57076 Siegen
Tel. +49 271 68193- 0 Fax: +49 271 68193-28
Amtsgericht Siegen HRB4838 Geschäftsführer: Oliver Seitz Sitz der Gesellschaft ist Siegen
- --------------------------------
Das Wort "WINDOWS" stammt aus einem alten Sioux-Dialekt und bedeutet: "Weißer Mann starrt durch Glasscheibe auf Sanduhr."
- --------------------------------
openldap-technical@openldap.org