0 Replies Latest reply: Feb 19, 2013 9:09 PM by 992088 RSS

    LDAP bind following StartTLS not encrypted

    992088
      I am attempting to write a java ldap client that will connect to an ldap server and authenticate with a client certificate during a StartTLS triggered switch to TLS on the connection, using the SASL EXTERNAL authentication mechanism. I have successfully tested this with the ldap server using OpenLDAP's ldapsearch. However, my java client fails with an "inappropriate authentication error" returned by the server. If I look at the packets going between the client and server I can see the TLS handshake taking place and its appears to happen successfully. From there I expected to see encrypted data over the TLS connection. Instead I see the bindrequest (with the EXTERNAL SASL mechanism) plainly (i.e. not encrypted) and then the bindresponse (with the inappropriateAuthentication error) from the server, also unencrypted. Here is the main code snippet:


           Hashtable env = new Hashtable(11);
           env.put(LdapContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
           env.put(LdapContext.PROVIDER_URL, url);
           
           this.context = new InitialLdapContext(env,null);
           tls = (StartTlsResponse) this.context.extendedOperation(new StartTlsRequest());
           SSLSession sess = tls.negotiate();
           LOG.warning("SSL Session Established with " + sess.getPeerHost() + ":" + sess.getPeerPort());
           this.context.addToEnvironment(LdapContext.SECURITY_AUTHENTICATION, "EXTERNAL");          

           SearchControls controls = new SearchControls();
      controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      NamingEnumeration results = this.context.search(url, "(cn=*)", controls);

      I am using jdk7 on Windows 7. When I look at the packets from ldapsearch I do not see an unencrypted bindrequest. What I do see are encrypted packets being exchanged once the handshake is complete and LDAP entries from the server are returned.

      Is the fact that the bindrequest is sent unencrypted likely to cause the error? Is there anything I can do to the LdapContext to have it sent encrypted.

      Thanks,
      Mark.