Created attachment 25916 [details] InitialContextFactory which produces TLS enabled LdapContext instances To enable TLS for LDAP inside JNDIRealm one has to either patch JNDIRealm directly and introduce another state variable to hold TLS-state - and thus make introduction of pooling harder, or use a factory which produces TLS enabled DirContext instances. Such a factory is attached. It can be configured by specifying a contextFactory in JNDIRealm config: <Realm ... contextFactory="org.apache.catalina.realm.LdapTlsContextFactory" ... /> I think it would be a good idea to add a parameter startTLS to JNDIRealm, which would automatically use the above TLS-ContextFactory. If wanted, I could supply a patch. (the patch is against tomcat 6.0.x trunk, but I think it will apply fine to trunk too)
See also http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo
The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which claims to support both SSL and STARTTLS: http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL Am I missing something?
Created attachment 32448 [details] Enable starttls for JNDIRealm I integrated the functionality into JNDIRealm. There is no documentation yet and I am not sure, whether I should include the HostnameVerifier as an enum. I will extend the method, so that I can use the given string for construction of one. I will commit the code together with documentation to trunk if noone objects.
Created attachment 32465 [details] Enable starttls for JNDIRealm Basically the same as the last patch, but now with documentation and the possibility to specify a SSLSocketFactory.
(In reply to Christopher Schultz from comment #2) > The default connection factory is com.sun.jndi.ldap.LdapCtxFactory which > claims to support both SSL and STARTTLS: > http://docs.oracle.com/javase/1.4.2/docs/guide/jndi/jndi-ldap.html#SSL > > Am I missing something? SSL is used automatically, when ldaps:// is specified as the protocol, but for StartTLS you have to code a little bit to enable it.
(In reply to Felix Schumacher from comment #5) > > SSL is used automatically, when ldaps:// is specified as the protocol, but > for StartTLS you have to code a little bit to enable it. Aah, yes: I think of TLS as secure-transport, and I often forget about STARTTLS. I'm updating the description to be more clear.
Fixed in trunk and tomcat 8.0.x for 8.0.21 onwards.
Will be included in tomcat 7.0.60