Authenticate via LDAP fails when using TLS

4
votes

I found several discussions about this issue in the net but none of them worked for me.
I am trying to authenticate via LDAP using TLS connection.
I get contradicted responses when using ldapsearch command and Java code.
In the ldapsearch command, searching with TLS works and fails without it,
While in the Java code the standard LDAPS connection works and TLS fails.

Here's the ldapsearch results:

With TLS:

/usr/bin/ldapsearch -h ldap.server.com -Z -x -D "#BIND_DN#" -W -b "#SEARCH_BASE#" -s sub "(cn=#USERNAME#)"
Enter LDAP Password: XXXXXXXX
....
mail: [email protected]
result: 0 Success

Without TLS:

/usr/bin/ldapsearch -h ldap.server.com -p 636 -x -D "#BIND_DN#" -W -b "#SEARCH_BASE#" -s sub "(cn=#USERNAME#)"
Enter LDAP Password: XXXXXXXXX
ldap_result: Can't contact LDAP server (-1)

And here are the Java results:

Without TLS:

>>java -cp lib com.myapp.toolkit.auth.LDAPTestKit
[LDAPTestKit] found authenContext.
[LDAPTestKit] Authentication Success
[LDAPTestKit] Found attributes:
[LDAPTestKit] mail : [email protected]

....

With TLS:

>>java -cp lib com.myapp.toolkit.auth.LDAPTestKit
ERROR [main] [] [LDAPTestKit] Initial binding - Failure
                [LDAP: error code 1 - TLS already started]

javax.naming.NamingException: [LDAP: error code 1 - TLS already started]; remaining name ''
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3107)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
    at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3192)
    at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:164)

I use the following code:

bindEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
bindEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
bindEnv.put(Context.REFERRAL, "follow");
bindEnv.put(Context.PROVIDER_URL, "ldaps://ldap.server.com:636");    
bindEnv.put("java.naming.security.principal", "#BIND_DN#");
bindEnv.put("java.naming.security.credentials", "#BIND_PASS#");
LdapContext bindCtx = new InitialLdapContext(bindEnv, null);
// So far O.K
StartTlsResponse tls = (StartTlsResponse) bindCtx.extendedOperation(new StartTlsRequest()); 
// Exception!!!
tls.negotiate();

I tried it with "ldap://" instead of "ldaps://" but got the same response.
Is it a certificate issue? Or is there anything I am missing in the code?

Thanks

2
javaldap
Have you tried without StartTlsResponse tls = (StartTlsResponse) bindCtx.extendedOperation(new StartTlsRequest()); tls.negotiate();? - Balint Bako
Yes, it works without it. - user1825949
And that is what you wanted, right? - Balint Bako
I don't know, the cusotmer requires a TLS connection. I am trying to replicate the ldapsearch command which the customer uses. - user1825949
If you set ldaps binding URL then it will be in an SSL channel, which should be sufficient. - Balint Bako

2 Answers

4
votes

The StartTLS extended operation is meant to establish the TLS layer over an existing plain LDAP connection. As Balint Bako pointed out yesterday, it is not needed if you are connecting to LDAPS, i.e. establishing a TLS connection to the socket to use LDAP.

1
votes

Check out the JNDI Example

We have used their example with good outcomes.