Shibboleth Developers

[Walter Hoehn <>]

FYI to anyone who was watching this thread last month:

Support has been added to HEAD for starttls and the SASL EXTERNAL 
authentication method.  See the bugzilla at 
http://bugzilla.internet2.edu/show_bug.cgi?id=283 .

Any help with testing would be appreciated.

-Walter


On Dec 22, 2004, at 3:57 PM, Jim Fox wrote:

> I will submit a bug report for this.
> I'll work on getting you a cert & etc. to test with.
>
> Jim
>
>
> On Wed, 22 Dec 2004, Walter Hoehn wrote:
>
> > Date: Wed, 22 Dec 2004 15:43:05 -0600
> > From: Walter Hoehn 
> > <>
> > To: Jim Fox 
> > <>
> > Cc: 
> >
> > Subject: Re: TLS to LDAP?
> > Hi Jim,
> >
> > I'd like to go ahead and add startTLS support to the mainline JNDI 
> > dataconnector.  Would you mind filing a bugzilla entry for this 
> > feature? Also, it would be very helpful if you could provide a 
> > server/DN/Cert/Key for me test against.  Is that a possibility?
> >
> > -Walter
> >
> >
> > On Dec 15, 2004, at 1:44 PM, Jim Fox wrote:
> >
> > > (Keep in mind that I am not a java expert. Corrections to any 
> > > misunderstandings here are welcome.)
> > > The gist is that TLS has to be negotiated.  We are also using a
> > > SASL mechanism on the LDAP servers.  The code corresponding to
> > > JNDIDirectoryDataConnector.java, around line 220, looks like:
> > >    LdapContext context = null;
> > >    StartTlsResponse tls = null;
> > >    try {
> > >       context = new InitialLdapContext(properties, null);
> > >       /* Start TLS */
> > >       tls = (StartTlsResponse)
> > >              context.extendedOperation(new StartTlsRequest());
> > >       tls.negotiate();
> > >       context.addToEnvironment(Context.SECURITY_AUTHENTICATION, 
> > > "EXTERNAL");
> > >       NamingEnumeration nEnumeration = null;
> > >       ...
> > > and there is a tls.close() later.  I can send you or the list either
> > > the new plugin or a diff from JNDIDirectoryDataConnector if you like.
> > > TLS is not SSL, but does get the principal name from the certificate,
> > > so the xml elements for "security.protocol", "security.principal",
> > > and "security.credentials" are not used.
> > > In addition, as far as I can tell, the certificate properties
> > > associated with TLS authentication, e.g., javax.net.ssl.keyStore,
> > > are global and cannot be set on a per-connection basis.  I think
> > > that's true even if the code does the setProperty, rather than
> > > doing it by a JAVA_OPTS setting in tomcat.
> > > I also encountered a conflict if I tried to connect to one LDAP
> > > server with SSL and id/password auth and to a second LDAP server
> > > with TLS auth.  The keystore property settings seemed to override
> > > the password auth.  Having both LDAPs use TLS worked fine.
> > > I'm using java 1.5.0.
> > > Jim
> > > On Wed, 15 Dec 2004, Walter Hoehn wrote:
> > > > Date: Wed, 15 Dec 2004 13:13:04 -0600
> > > > From: Walter Hoehn 
> > > > <>
> > > > To: Jim Fox 
> > > > <>
> > > > Cc: 
> > > >
> > > > Subject: Re: TLS to LDAP?
> > > > Hi Jim,
> > > > We certainly want to support this configuration.  Can you be 
> > > > specific about what your connector had to do differently?  The 
> > > > shib-supplied JNDI connector should be able to pass-through any 
> > > > property to the Sun ldap provider.
> > > > -Walter
> > > > On Dec 15, 2004, at 11:49 AM, Jim Fox wrote:
> > > > > We want to allow our attribute resolver to contact a couple of
> > > > > LDAP servers that use the TLS protocol - instead of simple SSL.
> > > > > The stock JNDIDirectoryDataConnector did not appear to be able to
> > > > > handle TLS, so we installed a custom connnector.
> > > > > Am I correct about this?  If there is a different way to do
> > > > > TLS to an LDAP server somebody please tell me.  We also
> > > > > authenticate with certificates, instead of passwords.
> > > > > Otherwise, TLS seems like a natural protocol to support.
> > > > > The standard JNDI connector could easily be adapted to do so.
> > > > > Might this be added?
> > > > > Jim

Attachment: smime.p7s
Description: S/MIME cryptographic signature