[patch] StartTLS for LDAP queries

This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.

There are a few drawbacks when using TLS instead of SSL:

• The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.
• Context.REFERRAL = “follow” is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).
• checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).
• You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.

I am currently testing it with openfire 3.6.4 against Active Directory’s LDAP service.

Greetings,

Daniel

Hi,

Thanks for your contribution, I filed OF-66 to track this patch.

daryl

Daniel, did your testing bring any interesting findings to light?

(You posted an empty response?)

It seems that the system did not accept my email.

Unfortunately I was not able to make any further tests since my boss decided to cancel the “Instant messaging project”.

Sorry.

It’s a pity, because I even wrote a patch for PSI to support Kerberos auth on Windows clients.

Ah, too bad. I couldn’t find any major issue in your patch - it will be part of the next release of Openfire.

Sorry to bring an old thread back, but has it been added to openfire?

I can’t find anything about TLS support for LDAP querries.

Thanks

Well, the ticket is closed and in the comments Guus says that he has commited the patch.