You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Sunitha Kambhampati (JIRA)" <de...@db.apache.org> on 2006/02/17 07:53:46 UTC
[jira] Created: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
-------------------------------------------------------------------------------------------------------
Key: DERBY-1000
URL: http://issues.apache.org/jira/browse/DERBY-1000
Project: Derby
Type: Bug
Components: Newcomer, Security
Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
Environment: all
Reporter: Sunitha Kambhampati
Priority: Trivial
ij> connect 'jdbc:derby:testdb;user=a;password=p';
ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /server.xyz.com:636
Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
in the code snippet, dflLDAPURL is ldap://
if (ldapServer.startsWith(dfltLDAPURL))
this.providerURL = ldapServer;
else if (ldapServer.startsWith("//"))
this.providerURL = "ldap:" + ldapServer;
else
this.providerURL = dfltLDAPURL + ldapServer;
}
initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
ie.
if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
this.providerURL = ldapServer;
========
A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Re: [jira] Created: (DERBY-1000) For LDAP authentication: derby.authentication.server
should support ldaps:// as part of the server url.
Posted by Daniel John Debrunner <dj...@apache.org>.
David W. Van Couvering wrote:
> This is a milestone - our 1000th bug!
The 1000th issue, not bug. Don't want to scare people that Derby is
buggy. The Jira query on code bugs shows 303.
Dan.
Re: [jira] Created: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server url.
Posted by "David W. Van Couvering" <Da...@Sun.COM>.
This is a milestone - our 1000th bug!
Sunitha Kambhampati (JIRA) wrote:
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
>
[jira] Commented: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Francois Orsini (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=comments#action_12366858 ]
Francois Orsini commented on DERBY-1000:
----------------------------------------
Correct - I remember testing LDAPS using the Context.PROVIDER_URL route.
The derby tuning guide documentation should also make mention of using the JNDI Context.PROVIDER_URL property to connect to an LDAP server, as an alternative to the derby 'derby.authentication.server' property. (see 'derby.authentication.server' property section).
Upon fixing this simple issue, The syntax for the derby 'derby.authentication.server' property should be enhanced to also mention LDAPS: as a valid syntax as well as adding an example in the respective section.
derby.authentication.server=
[{ ldap: | ldaps: | nisplus: }]
[//]
{
hostname
:
portnumber |
nisServerName
/
nisDomain
}
##LDAPS example
derby.authentication.server=ldaps://godfrey:9090
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Anders Morken (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Anders Morken updated DERBY-1000:
---------------------------------
Attachment: DERBY1000-docs.patch
DERBY1000-docs.patch is a suggestion for an update to the documentation if we start supporting ldaps:// URLs. Further updates to the docs regarding LDAP support will be attached to DERBY-870 if I end up writing some. =)
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Sunitha Kambhampati (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Sunitha Kambhampati closed DERBY-1000:
--------------------------------------
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Assignee: Anders Morken
> Priority: Trivial
> Fix For: 10.2.0.0
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Sunitha Kambhampati (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=comments#action_12419625 ]
Sunitha Kambhampati commented on DERBY-1000:
--------------------------------------------
Thanks Anders for posting the patch as well as the doc changes. I applied the DERBY-1000.patch and could successfully connect to a secure ldap server that I have access to and it all works ok. I briefly looked at the docs patch and it looked ok to me. I will leave the doc changes for someone more familiar with dita to comment.
I am not sure how we can add tests for ldap, because it needs a ldap server setup etc.
derby-1000.patch looks good to me. I vote +1 for commit.
Thanks.
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Assignee: Anders Morken
> Priority: Trivial
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Assigned: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Anders Morken (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Anders Morken reassigned DERBY-1000:
------------------------------------
Assign To: Anders Morken
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Assignee: Anders Morken
> Priority: Trivial
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Anders Morken (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Anders Morken updated DERBY-1000:
---------------------------------
Derby Info: [Patch Available]
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Anders Morken (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Anders Morken updated DERBY-1000:
---------------------------------
Attachment: DERBY-1000.patch
DERBY-1000.patch: This little one-line change is all it takes to make derby authenticate against a ldap server over SSL for me. (In addition to the necessary setup of the LDAP server, the self-signed certificate and telling the java SSL certificate verifier to trust it, of course. And the change in DERBY-1174 which I needed for LDAP authentication to work at all for me.)
This change didn't seem to cause any problems in derbyall - sysinfo and sysinfo_withproperties failed due to my locale, the forupdate test fails in the tinderbox test of 390705 as well, and one failure of CompatibilityTest in the initial derbyall run went away when I ran the derbynetclientmats suite without a network server already started.
As for documentation issues, I agree that the docs could use a bit of polishing when it comes to LDAP authentication. I'll see if I can figure out how to update them. =)
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
> Attachments: DERBY-1000.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Anders Morken (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=comments#action_12418713 ]
Anders Morken commented on DERBY-1000:
--------------------------------------
Now that DERBY-1174 is resolved the patches attached to this issue is technically all you need to let Derby use SSL-enabled LDAP connections to a LDAP directory. While I've tested this manually I haven't written a regression test for it. You need a lot of manual preparation to test this - most notably an SSL-enabled LDAP server to query and bind against, and you need the LDAP server's SSL certificate (or the CA certificate that signed the LDAP server's cert) in your java installation's trusted certificate store. See http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html for more details.
The fact that you need to import the ldap server's cert should probably be mentioned in the docs as well. Is the above URL "stable" enough for us to refer to in Derby documentation?
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Assignee: Anders Morken
> Priority: Trivial
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Knut Anders Hatlen (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Knut Anders Hatlen resolved DERBY-1000:
---------------------------------------
Fix Version: 10.2.0.0
Resolution: Fixed
Derby Info: (was: [Patch Available])
I think the doc patch is ready to be committed too.
Code patch committed with revision 419852.
Doc patch committed with revision 419853.
Thanks to Anders for fixing the code and updating the documentation. Thanks to Sunitha for reviewing the changes.
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Assignee: Anders Morken
> Priority: Trivial
> Fix For: 10.2.0.0
> Attachments: DERBY-1000.patch, DERBY1000-docs.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
Posted by "Sunitha Kambhampati (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Sunitha Kambhampati updated DERBY-1000:
---------------------------------------
Description:
derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
Trying to connect using LDAP authentication with the following properties set
derby.authentication.provider=LDAP
derby.authentication.server=ldaps://xyz.abc.com:636
derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
derby.connection.requireAuthentication=true
throws InvalidNameException
ij> connect 'jdbc:derby:testdb;user=a;password=p';
ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
in the code snippet, dflLDAPURL is ldap://
if (ldapServer.startsWith(dfltLDAPURL))
this.providerURL = ldapServer;
else if (ldapServer.startsWith("//"))
this.providerURL = "ldap:" + ldapServer;
else
this.providerURL = dfltLDAPURL + ldapServer;
}
initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
ie.
if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
this.providerURL = ldapServer;
========
A workaround to the problem is to set the Context.PROVIDER_URL instead.
was:
ij> connect 'jdbc:derby:testdb;user=a;password=p';
ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /server.xyz.com:636
Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
in the code snippet, dflLDAPURL is ldap://
if (ldapServer.startsWith(dfltLDAPURL))
this.providerURL = ldapServer;
else if (ldapServer.startsWith("//"))
this.providerURL = "ldap:" + ldapServer;
else
this.providerURL = dfltLDAPURL + ldapServer;
}
initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
ie.
if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
this.providerURL = ldapServer;
========
A workaround to the problem is to set the Context.PROVIDER_URL instead.
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira