This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.
There are a few drawbacks when using TLS instead of SSL:
- The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.
- Context.REFERRAL = “follow” is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).
- checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).
- You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.
I am currently testing it with openfire 3.6.4 against Active Directory’s LDAP service.
Greetings,
Daniel