You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Anders Morken (JIRA)" <de...@db.apache.org> on 2006/04/02 14:41:53 UTC
[jira] Updated: (DERBY-1000) For LDAP authentication:
derby.authentication.server should support ldaps:// as part of the server
url.
[ http://issues.apache.org/jira/browse/DERBY-1000?page=all ]
Anders Morken updated DERBY-1000:
---------------------------------
Attachment: DERBY-1000.patch
DERBY-1000.patch: This little one-line change is all it takes to make derby authenticate against a ldap server over SSL for me. (In addition to the necessary setup of the LDAP server, the self-signed certificate and telling the java SSL certificate verifier to trust it, of course. And the change in DERBY-1174 which I needed for LDAP authentication to work at all for me.)
This change didn't seem to cause any problems in derbyall - sysinfo and sysinfo_withproperties failed due to my locale, the forupdate test fails in the tinderbox test of 390705 as well, and one failure of CompatibilityTest in the initial derbyall run went away when I ran the derbynetclientmats suite without a network server already started.
As for documentation issues, I agree that the docs could use a bit of polishing when it comes to LDAP authentication. I'll see if I can figure out how to update them. =)
> For LDAP authentication: derby.authentication.server should support ldaps:// as part of the server url.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1000
> URL: http://issues.apache.org/jira/browse/DERBY-1000
> Project: Derby
> Type: Bug
> Components: Newcomer, Security
> Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0, 10.1.2.1, 10.1.2.2, 10.2.0.0
> Environment: all
> Reporter: Sunitha Kambhampati
> Priority: Trivial
> Attachments: DERBY-1000.patch
>
> derby.authentication.server does not recognize secure ldap url - ie if the url starts with ldaps://
> Trying to connect using LDAP authentication with the following properties set
> derby.authentication.provider=LDAP
> derby.authentication.server=ldaps://xyz.abc.com:636
> derby.authentication.ldap.searchBase='ou=xyz,o=abc.com'
> derby.authentication.ldap.searchFilter='(emailaddress=%USERNAME%)'
> derby.connection.requireAuthentication=true
> throws InvalidNameException
> ij> connect 'jdbc:derby:testdb;user=a;password=p';
> ERROR 08004: Connection refused : javax.naming.InvalidNameException: Invalid name: /xyz.abc.com:636
> Code - LDAPAuthenticationSchemeImpl#setJNDIProviderProperties.
> Problem is the code expects that if Context.PROVIDER_URL is not and if derby.authentication.server is set, then the ldapServer is either of the format //server:port or it already starts with ldap:// else it just adds ldap:// .
> Thus for a ldaps://xyz.com:636 url , it will become ldap://ldaps://xyz.com:636
> in the code snippet, dflLDAPURL is ldap://
> if (ldapServer.startsWith(dfltLDAPURL))
> this.providerURL = ldapServer;
> else if (ldapServer.startsWith("//"))
> this.providerURL = "ldap:" + ldapServer;
> else
> this.providerURL = dfltLDAPURL + ldapServer;
> }
> initDirContextEnv.put(Context.PROVIDER_URL, providerURL);
> We should support specifiying secure ldap , ie ldaps:// in the derby.authentication.server. Add condition to support the ldaps://
> ie.
> if (ldapServer.startsWith(dfltLDAPURL) || ldapServer.startsWith("ldaps://"))
> this.providerURL = ldapServer;
> ========
> A workaround to the problem is to set the Context.PROVIDER_URL instead.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira