Re: [xwiki-dev] patch for ldap over SSL

Hi all, I wanted to take advantage of an ldap server for user authentication but as others already encountered there was no support for SSL and I needed it. I attach a patch which add support for SSL connections to the ldap server. To activate the SSL layer, I added a new configuration parameter in xwiki.cfg (xwiki.authentication.ldap.ssl) which has to be set to 1. Of course the ldap port has to be changed too (to 636). In order for the SSL connection to be established, the CA certificate which delivered the SSL certificate of the ldap server must be added to the trust store of the JSSE extension. The search order for the locating the trust store is: 1) <java-home>/lib/security/jssecacerts, then 2) <java-home>/lib/security/cacerts If the file jssecacerts exists, then cacerts is not consulted. So in order to make it work you have to create a trust store named jssecacerts with the following command and place it in the suitable directory of the JRE or JDK used by your container: keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts (answer yes when asked if you want to trust the certificate) I read on the web the default password for cacerts is 'changeit' so I used that, I didn't try yet with another password for the trust store. I believe if the SSL certificate of the ldap server is self signed you need to import it instead of the CA but I did not try. The patch makes use of com.sun.net.ssl.internal.ssl.Provider as the hard coded security provided, it should maybe be put as a parameter for people not running Sun JVMs. I'm a newbie to xwiki so don't hesitate to critize the patch or give me feedback. Philippe ------------------------------------------------------------------------ Index: core/src/main/java/com/xpn/xwiki/user/impl/LDAP/LDAPAuthServiceImpl.java =================================================================== --- core/src/main/java/com/xpn/xwiki/user/impl/LDAP/LDAPAuthServiceImpl.java (révision 2024) +++ core/src/main/java/com/xpn/xwiki/user/impl/LDAP/LDAPAuthServiceImpl.java (copie de travail) @@ -36,6 +36,7 @@ import java.io.UnsupportedEncodingException; import java.security.Principal; +import java.security.Security; import java.text.MessageFormat; import java.util.Enumeration; import java.util.HashMap; @@ -271,11 +272,18 @@ } protected boolean checkUserPassword(String username, String password, HashMap attributes, XWikiContext context) throws XWikiException { - LDAPConnection lc = new LDAPConnection(); boolean result = false; boolean notinLDAP = false; String foundDN = null; + if ("1".equals(getParam("ldap_ssl", context))) { + Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); + LDAPSocketFactory ssf; + ssf = new LDAPJSSESecureSocketFactory(); + LDAPConnection.setSocketFactory(ssf); + } + LDAPConnection lc = new LDAPConnection(); + try { if (log.isDebugEnabled()) log.debug("LDAP Password check for user " + username); @@ -299,7 +307,6 @@ String baseDN = getParam("ldap_base_DN", context); - lc.connect(ldapHost, ldapPort); if (log.isDebugEnabled()) @@ -458,9 +465,17 @@ } protected boolean checkDNPassword(String DN, String username, String password, XWikiContext context) throws XWikiException { - LDAPConnection lc = new LDAPConnection(); boolean result = false; boolean notinLDAP = false; + + if ("1".equals(getParam("ldap_ssl", context))) { + Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); + LDAPSocketFactory ssf; + ssf = new LDAPJSSESecureSocketFactory(); + LDAPConnection.setSocketFactory(ssf); + } + LDAPConnection lc = new LDAPConnection(); + try { int ldapPort = getLDAPPort(context); @@ -515,6 +530,7 @@ if (bindDN != null && bindDN.length() > 0 && bindPassword != null) { try { + lc.bind(ldapVersion, bindDN, bindPassword.getBytes("UTF8")); bound = true; Index: web/standard/src/main/webapp/WEB-INF/xwiki.cfg =================================================================== --- web/standard/src/main/webapp/WEB-INF/xwiki.cfg (révision 2024) +++ web/standard/src/main/webapp/WEB-INF/xwiki.cfg (copie de travail) @@ -71,6 +71,7 @@ xwiki.authentication.ldap.bind_pass={1} xwiki.authentication.ldap.UID_attr=sAMAccountName xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn +xwiki.authentication.ldap.ssl=0 xwiki.authentication.unauthorized_code=200 ------------------------------------------------------------------------ -- You receive this message as a subscriber of the xwiki-dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws