Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP + SSL

france
Champ in-the-making
Champ in-the-making

‎05-04-2006 08:51 AM

Hi,

I configured successfully Alfresco (1.2.0 Enterprise version on Linux)
to use LDAP simple authentication.

I wish to add SSL.

Replacing ldap://myopenldap.comp.be:389 by
ldaps://myopenldap.comp.be:636
in ldap-authentication-context.xml
is not enough.

Can you help me ?

On the same system, the command
ldapsearch -x -H ldaps://myopenldap.comp.be
-D "cn=userxxx,ou=users,dc=comp,dc=be" -W -s sub
-b "ou=users,dc=imec,dc=be"
works without problem.

Thanks in advance.

    France
Labels:
0 Kudos
3 REPLIES 3

andy
Champ on-the-rise
Champ on-the-rise

‎05-04-2006 11:15 AM

Hi

You need to do some work creating, storing and finding certificates.

I have not set up ssl for LDAP but know it is often used.
There is at least one group I know of who have it up and going.


The following resources should point you in the right direction.

http://www.sun.com/blueprints/0602/816-5203-10.pdf
http://www.phptr.com/articles/article.asp?p=28710&rl=1
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
http://www.openldap.org/doc/admin23/tls.html
http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#HowSSLWorks

Your test is probably finding the correct certificate or you are not connecting to the SSL port.

http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=OpenLDAP+2.3-R...

I would suggest you set the port on the ldap uri on the -H option.

Hope this helps

Regards

Andy
0 Kudos

france
Champ in-the-making
Champ in-the-making

‎05-05-2006 05:45 AM

Hi Andy,

Sorry, my question was perhaps not so clear.

Here is the current situation:

1. LDAP + SSL works between my linux client and my OpenLDAP server
(correct server certificate, correct port 636)

2. LDAP authentication works within Alfresco.

3. LDAP authentication + SSL does NOT work within Alfresco.

What do I have to do within Alfresco to be able to use SSL for the
LDAP authentication ?

Thanks in advance.

        France
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎05-05-2006 07:15 AM

Hi

From http://java.sun.com/j2se/1.3/docs/guide/jndi/jndi-ldap-gl.html

java.naming.security.protocol
The value of this property is a string that specifies the security protocol for the provider to use. The following value is defined for this property:
 
ssl
use Secure Sockets Layer version 3.0.
If this property is set to ssl, the provider must use SSL sockets, or throw ConfigurationException if it is unable to do so. In addition to the value listed above, a provider may support other security protocols. However, such provider-specific protocols might not be supported by all providers. If this property is set to a security protocol that the provider does not recognize or support, it should throw ConfigurationException.

If the  java.naming.ldap.factory.socket  property is set, then the socket factory identified by that property must create sockets that are appropriate for this protocol setting. For example, if the security protocol is set to ssl, then the socket factory must create SSL-compliant sockets.

If this property is not set then the default is to use no security protocol.

As a developer of the LDAP provider, you should be aware that using SSL to connect to a server on a port that is not listening for SSL connections causes the socket to hang. Similarly, using a plain socket to connect to a server that is listening for SSL connections also leads to hanging. This is a characteristic of the protocol that some implementations may choose to correct but is not otherwise required to do so. The provider's documentation, however, should describe this behavior to its users. See SSL for information on how to use SSL.

For example:

env.put(Context.SECURITY_PROTOCOL, "ssl");
specifies that SSL-compliant sockets be used to communicate with the server.


Set the java.naming.security.protocol  property on bean




 <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <entry key="java.naming.security.protocol">
                    <value>ssl</value>
                </entry>

Use simple authentication.

Then you need to find the certificates:

http://java.sun.com/products/jsse/doc/guide/API_users_guide.html
Describes this in detail.

You need to set up a trust store for you certificates, put the appropriate certificates in and then tell java where to look.

java -Djavax.net.ssl.trustStore=MyCacertsFile

I am not sure if this can be set in the ldapInitialDirContextFactory bean or  if this has to go on the java command line. There is no other way that I can think of to set system properties.

When this is done - the default SSL implementation should find the appropriate certificates to make the connection.

SSL is a bit of a pain as always 🙂

Hope this helps

Regards

Andy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC