You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2017/01/05 05:04:45 UTC

svn commit: r1777413 - in /directory/site/trunk/content/api: user-guide.mdtext user-guide/5-ldap-security.mdtext user-guide/5.1-ldaps.mdtext user-guide/5.1-ssl.mdtext

Author: elecharny
Date: Thu Jan  5 05:04:45 2017
New Revision: 1777413

URL: http://svn.apache.org/viewvc?rev=1777413&view=rev
Log:
Renamed a page, fixed broken links

Added:
    directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
Removed:
    directory/site/trunk/content/api/user-guide/5.1-ssl.mdtext
Modified:
    directory/site/trunk/content/api/user-guide.mdtext
    directory/site/trunk/content/api/user-guide/5-ldap-security.mdtext

Modified: directory/site/trunk/content/api/user-guide.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/api/user-guide.mdtext?rev=1777413&r1=1777412&r2=1777413&view=diff
==============================================================================
--- directory/site/trunk/content/api/user-guide.mdtext (original)
+++ directory/site/trunk/content/api/user-guide.mdtext Thu Jan  5 05:04:45 2017
@@ -50,7 +50,7 @@ We are interested in improving the conte
 
 * [2 - Basic LDAP API usage (...)](user-guide/2-basic-ldap-api-usage.html)
     *  [2.1 - Connection and disconnection](user-guide/2.1-connection-disconnection.html)
-    *  [2.2 - Binding and unbinding (...)](user-guide/2.2-binding-unbinding.html)
+    *  [2.2 - Binding and unbinding](user-guide/2.2-binding-unbinding.html)
     *  [2.3 - Searching (...)](user-guide/2.3-searching.html)
     *  [2.4 - Adding entries](user-guide/2.4-adding.html)
     *  [2.5 - Deleting entries](user-guide/2.5-deleting.html)
@@ -85,10 +85,13 @@ We are interested in improving the conte
 
 * [5 - LDAP security (e)](user-guide/5-ldap-security.html)
 
-    *  [5.1 - ACI and ACLs (e)](user-guide/5.1-aci-and-acls.html)
-    *  [5.2 - SSL (e)](user-guide/5.2-ssl.html)
-    *  [5.3 - StartTLS (e)](user-guide/5.3-start-tls.html)
-
+    *  [5.1 - LDAPS](user-guide/5.1-ldaps.html)
+    *  [5.2 - StartTLS (e)](user-guide/5.2-start-tls.html)
+    *  [5.3 - Password handling](user-guide/5.3-password-handling.html)
+    *  [5.4 - SASL Bind](user-guide/5.4-sasl-bind.html)
+    *  [5.5 - Certificates](user-guide/5.5-certificates.html)
+    *  [5.6 - ACI and ACLs (e)](user-guide/5.6-aci-and-acls.html)
+    
 * [6 - LDAP data structures (...)](user-guide/6-ldap-data-structures.html)
 
     *  [6.1 - AdministrativePoint (e)](user-guide/6.1-administrative-point.html)

Modified: directory/site/trunk/content/api/user-guide/5-ldap-security.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/api/user-guide/5-ldap-security.mdtext?rev=1777413&r1=1777412&r2=1777413&view=diff
==============================================================================
--- directory/site/trunk/content/api/user-guide/5-ldap-security.mdtext (original)
+++ directory/site/trunk/content/api/user-guide/5-ldap-security.mdtext Thu Jan  5 05:04:45 2017
@@ -41,9 +41,9 @@ Last, but not least, we have seen how to
 
 ## Contents
 
-*  [5.1 - SSL (e)](user-guide/5.1-ssl.html)
-*  [5.2 - StartTLS (e)](user-guide/5.2-start-tls.html)
-*  [5.3 - Password handling](user-guide/5.3-password-handling.html)
-*  [5.4 - SASL Bind](user-guide/5.4-sasl-bind.html)
-*  [5.5 - Certificates](user-guide/5.5-certificates.html)
-*  [5.6 - ACI and ACLs (e)](user-guide/5.6-aci-and-acls.html)
+*  [5.1 - LDAPS](5.1-ldaps.html)
+*  [5.2 - StartTLS (e)](5.2-start-tls.html)
+*  [5.3 - Password handling](5.3-password-handling.html)
+*  [5.4 - SASL Bind](5.4-sasl-bind.html)
+*  [5.5 - Certificates](5.5-certificates.html)
+*  [5.6 - ACI and ACLs (e)](5.6-aci-and-acls.html)

Added: directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext?rev=1777413&view=auto
==============================================================================
--- directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext (added)
+++ directory/site/trunk/content/api/user-guide/5.1-ldaps.mdtext Thu Jan  5 05:04:45 2017
@@ -0,0 +1,111 @@
+Title: 5.1 - LDAPS
+NavPrev: 5-ldap-security.html
+NavPrevText: 5 - LDAP Security
+NavUp: 5-ldap-security.html
+NavUpText: 5 - LDAP Security
+NavNext: 5.2-start-tls.html
+NavNextText: 5.2 - StartTLS
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+# 5.1 - LDAPS
+
+**LDAP** supports **SSL**, it's called **LDAPS**, and it uses a dedicated port. As of today, and since 2000, **LDAPS** is deprecated and **StartTLS** should be used.
+
+That being said, many servers accept **LDAPS**, and the Apache LDAP API supports it.
+
+## How does it work ?
+
+The **SSL** protocol ensures that data are transmitted encrypted, and guarantees that the data being received are valid. Nobody can capture those data and read them, assuming the ciphers being used are strong enough.
+
+With **SSL**, a dialog between the client and the server occurs, and when both part agree on the cipher to use, then all subsequent data is encrypted. This dialog may include a mutual validation. 
+
+## Protocols
+
+There are many version that can be used, but the idea is to use tha most recent one, if the server supports it. In any case, as we depend on **Java**, we are also limited by the supported version on the client side. Here are all the existing version, and their status :
+
+| SSLversion | Java 7 Client | Java 7 Server | Java 8 Client | Java 8 Server |
+|---|---|---|---|---|
+| 2.0 | N/A | N/A | N/A | N/A |
+| 3.0 | Disabled | Disabled | N/A | N/A |
+| 3.1 (aka TLSv1) | **Enabled** | **Enabled** | **Enabled** | **Enabled** |
+| 3.2 (aka TLSv1.1 | Disabled | **Enabled** | **Enabled** | **Enabled** |
+| 3.3 (aka TLSv1.2) | Disabled | **Enabled** | **Enabled** | **Enabled** |
+
+(_Disabled_ mean it's not active by default, and must be activated explicitely).
+
+The default is for Java to pick the one that fits, assuming that it will always start with the newest version (**TLSv1.2**).
+
+Still, you can enforce the version if needed.
+
+## A quick primer
+
+Here is all what you need to get a **LDAPS** connection established with a server :
+
+        try ( LdapConnection connection = new LdapNetworkConnection( "server-name", 636, true ) )
+        {
+            connection.bind( "uid=admin,ou=system", "secret" );
+
+            assertTrue( connection.isAuthenticated() );
+        }
+
+This is as simple as that ! The **636* port is the default **LDAPS** port for standard **LDAP** servers, when running as **root**, and for **ApacheDS** you will have to pick **10636**. The **true** flag is set to secure the connection. You don't need to close the connection, it will be done automatically when exiting the try{...} block.
+
+By default, the selected protocol is **TLS**, and we wont verify the server's certificate.
+
+## A more sophisticated sample
+
+It's possible to have more control on the **SSL** configuration, and specifically to provide a specific **TrustManager** :
+
+        try ( LdapConnection connection = new LdapNetworkConnection( Network.LOOPBACK_HOSTNAME, getLdapServer().getPortSSL(), new NoVerificationTrustManager() ) )
+        {
+            connection.bind( "uid=admin,ou=system", "secret" );
+            
+            assertTrue( ((LdapNetworkConnection)connection).getConfig().isUseSsl() );
+            assertTrue( connection.isAuthenticated() );
+        }
+
+Here, we use the _NoVerificationTrustManager_ class, but you can define your own implementation. The **Fortress** project is using [this class](https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/ldap/LdapClientTrustStoreManager.java).
+
+## Using a configuration
+
+One step further : you can define a dediated configuration that is passed to the constructor. Many parameters can be defined :
+
+* the enabled cipher suites
+* the enabled protocols
+* the KeyManager instances
+* the SecureRandom instance
+* the SSL protocol to use
+* the TrustManager instances
+
+All those parameters are configured using the _LdapConnectionConfig_ class :
+
+        LdapConnectionConfig sslConfig = new LdapConnectionConfig();
+        sslConfig.setLdapHost( Network.LOOPBACK_HOSTNAME );
+        sslConfig.setUseSsl( true );
+        sslConfig.setLdapPort( getLdapServer().getPortSSL() );
+        sslConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+        try ( LdapConnection connection = new LdapNetworkConnection( sslConfig ) )
+        {
+            connection.bind( "uid=admin,ou=system", "secret" );
+            
+            assertTrue( ((LdapNetworkConnection)connection).getConfig().isUseSsl() );
+            assertTrue( connection.isAuthenticated() );
+        }
+
+