如何确保来自 JNDI 通过 SSL 的 LDAP 连接
我是 LDAP 和 JNDI 的新手。我已经使用 OpenDS 设置了带有 SSL 的 LDAP 服务器和使用 JNDI 访问 LDAP 的客户端。
我该如何确保我确实通过 SSL 与 LDAP 服务器进行通信?这是因为当我尝试通过 SSL 访问 LDAP 和不通过 SSL 访问 LDAP 时,我并没有真正看到客户端有什么区别。
已编辑
我已经使用 OpenDS 设置了 LDAP 服务器。该目录仅包含 1 个用户。其 DN 为 uid=defaultuser,ou=User,o=IT,dc=QuizPortal。 LDAP 端口 = 1389 和 SSL 端口 = 1636。默认端口389& 636 目前正被其他一些程序使用。我还选择了生成自签名认证选项。
以下是客户端端的代码。它基本上对用户的属性进行简单的查询。
public static void main(String[] args)
{
String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
String MY_HOST = "ldap://KhooGP-Comp3:1389";
String MGR_DN = "cn=Directory Manager";
String MGR_PW = "password";
String MY_SEARCHBASE = "ou=User,o=IT,dc=QuizPortal";
String MY_FILTER = "uid=defaultuser";
String MY_ATTRS[] = {"cn", "telephoneNumber", "userPassword"};
//Identify service provider to use
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
try
{
// Create the initial directory context
InitialDirContext initialContext = new InitialDirContext(env);
DirContext ctx = (DirContext)initialContext;
System.out.println("Context Sucessfully Initialized");
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);
while(results != null && results.hasMore())
{
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName() + "," + MY_SEARCHBASE;
System.out.println("Distinguished Name is " + dn);
Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
if(ar == null)
{
System.out.println("Entry " + dn);
System.out.println(" has none of the specified attributes\n");
}
else
{
for(int i=0; i<MY_ATTRS.length; i++)
{
Attribute attr = ar.get(MY_ATTRS[i]);
System.out.println(MY_ATTRS[i] + ":");
for(Enumeration vals=attr.getAll(); vals.hasMoreElements();)
{
System.out.println("\t" + vals.nextElement());
}
}
}
}
}
catch(Exception e)
{
System.err.println(e);
}
}
我还按照建议执行了 netstat,并且在端口 1636 上进行了通信。那么这是否意味着我真的已经在 SSL 上进行通信了?
I am new to LDAP and JNDI. I have setup a LDAP server with SSL using OpenDS and a client which uses JNDI to access LDAP.
What can I do to ensure that I am really communicating via SSL to the LDAP server? This is because I don't really see any difference from the client side when I am trying to accessing LDAP via SSL and without.
EDITED
I have setup the LDAP server using OpenDS. The directory only consist of 1 user. It's DN is uid=defaultuser,ou=User,o=IT,dc=QuizPortal. The LDAP port = 1389 and SSL port = 1636. The default port 389 & 636 is currently being used by some other programs. I have also selected an option of generate self-sign certification.
The below is the code from the Client side. It basically do a simple query of the user's attributes.
public static void main(String[] args)
{
String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
String MY_HOST = "ldap://KhooGP-Comp3:1389";
String MGR_DN = "cn=Directory Manager";
String MGR_PW = "password";
String MY_SEARCHBASE = "ou=User,o=IT,dc=QuizPortal";
String MY_FILTER = "uid=defaultuser";
String MY_ATTRS[] = {"cn", "telephoneNumber", "userPassword"};
//Identify service provider to use
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
try
{
// Create the initial directory context
InitialDirContext initialContext = new InitialDirContext(env);
DirContext ctx = (DirContext)initialContext;
System.out.println("Context Sucessfully Initialized");
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);
while(results != null && results.hasMore())
{
SearchResult sr = (SearchResult) results.next();
String dn = sr.getName() + "," + MY_SEARCHBASE;
System.out.println("Distinguished Name is " + dn);
Attributes ar = ctx.getAttributes(dn, MY_ATTRS);
if(ar == null)
{
System.out.println("Entry " + dn);
System.out.println(" has none of the specified attributes\n");
}
else
{
for(int i=0; i<MY_ATTRS.length; i++)
{
Attribute attr = ar.get(MY_ATTRS[i]);
System.out.println(MY_ATTRS[i] + ":");
for(Enumeration vals=attr.getAll(); vals.hasMoreElements();)
{
System.out.println("\t" + vals.nextElement());
}
}
}
}
}
catch(Exception e)
{
System.err.println(e);
}
}
I have also did netstat as per adviced and there is a communication on port 1636. So does that means I am really communicating on SSL already?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在服务器端,您可能需要经过身份验证的绑定,那么如果您没有使用 SSL,那么您的应用程序将会失败。
您可以对其进行数据包跟踪以查看数据是明文还是加密的。
如果您使用基于 SSL 的 LDAP,则很可能会使用端口 636。因此,您可以
netstat查看您连接的端口。如果您使用 TLS,那就更难了,因为您使用 389,但使用 StartTLS,它会启动明文,然后转换为使用加密。
用代码来做吗?不知道。
On the server end you could require authenticated binds, then if you were NOT doing SSL then your app would fail.
You could packet trace it to see if the data is clear text or encrypted.
If you are using LDAP over SSL you are using port 636 in all likelyhood. So you could
netstatto see what port you have connected on.If you are using TLS it is harder, since you use 389, but with StartTLS it starts clear text, then converts to using encryption.
Do it in code? Dunno.