directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anthony Winstanley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSTUDIO-1173) StartTLS fails when required by LDAP service
Date Thu, 01 Mar 2018 06:00:00 GMT

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-1173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16381557#comment-16381557
] 

Anthony Winstanley commented on DIRSTUDIO-1173:
-----------------------------------------------

Using ldapsearch yields the following:
{code:java}
Frame 1: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) on interface 0
Transmission Control Protocol, Src Port: 55422, Dst Port: 389, Seq: 1, Ack: 1, Len: 31
Lightweight Directory Access Protocol
    LDAPMessage extendedReq(1)
        messageID: 1
        protocolOp: extendedReq (23)
            extendedReq
                requestName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
        [Response In: 2]

Frame 2: 112 bytes on wire (896 bits), 112 bytes captured (896 bits) on interface 0
Transmission Control Protocol, Src Port: 389, Dst Port: 55422, Seq: 1, Ack: 32, Len: 46
Lightweight Directory Access Protocol
    LDAPMessage extendedResp(1)
        messageID: 1
        protocolOp: extendedResp (24)
            extendedResp
                resultCode: success (0)
                matchedDN: 
                errorMessage: 
                responseName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
        [Response To: 1]
        [Time: 0.000730199 seconds]
{code}
Using ADS yields something slightly different:
{code:java}
Frame 1: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Transmission Control Protocol, Src Port: 49906, Dst Port: 389, Seq: 1, Ack: 1, Len: 60
Lightweight Directory Access Protocol
    LDAPMessage extendedReq(1)
        messageID: 1
        protocolOp: extendedReq (23)
            extendedReq
                requestName: 1.3.6.1.4.1.1466.20037 (LDAP_START_TLS_OID)
        [Response In: 2]
        controls: 1 item
            Control
                controlType: 2.16.840.1.113730.3.4.2 (Manage DSA IT LDAPv3 control)

Frame 2: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) on interface 0
Transmission Control Protocol, Src Port: 389, Dst Port: 49906, Seq: 1, Ack: 61, Len: 31
Lightweight Directory Access Protocol
    LDAPMessage extendedResp(1) (STARTTLS required)
        messageID: 1
        protocolOp: extendedResp (24)
            extendedResp
                resultCode: inappropriateAuthentication (48)
                matchedDN: 
                errorMessage: STARTTLS required
        [Response To: 1]
        [Time: 0.016039000 seconds]
{code}
What's with the LDAP control that ADS is using?

(I hope this is enough of the capture... I tried 3 different trace anonymisers before giving
up and summarizing...)

> StartTLS fails when required by LDAP service
> --------------------------------------------
>
>                 Key: DIRSTUDIO-1173
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1173
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M13
>         Environment: Windows 10 Pro 64bit
>            Reporter: Anthony Winstanley
>            Priority: Major
>
> We have 389-ds sitting behind an f5 load balancer. The load balancer requires connections
on port 389 to use StartTLS. It makes connections to the 389-ds servers on port 389 using
StartTLS.
> If I connect directly to port 389 on a 389-ds server with "Use StartTLS extension", the
connection is fine. If I change the hostname of this connection to the load-balanced hostname,
I get:
> "The connection failed - [LDAP: error code 48 - STARTTLS required]"
> However, ldapsearch successfully makes STARTTLS connections through the load balancer
like:
> ldapsearch -x -H ldap://lbhost.example.com -ZZ
>  
>  
> My guess is that ADS is not activating StartTLS soon enough when connecting to port 389...
which is fine if the connection doesn't require the use of StartTLS, but unworkable when it
does.
> Of course, I'm hoping this is an easy fix...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message