if (!sslEnabled && !startTlsEnabled)
Log.debug("LdapManager: Warning: Using unencrypted connection to LDAP service!");
}
JiveInitialLdapContext ctx = null;
try {
// See if the user authenticates.
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
env.put(Context.PROVIDER_URL, getProviderURL(baseDN));
if (sslEnabled) {
env.put("java.naming.ldap.factory.socket",
"org.jivesoftware.util.SimpleSSLSocketFactory");
env.put(Context.SECURITY_PROTOCOL, "ssl");
}
/* If startTLS is requested we MUST NOT bind() before
* the secure connection has been established. */
if (!(startTlsEnabled && !sslEnabled)) {
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
env.put(Context.SECURITY_CREDENTIALS, password);
} else {
if (followReferrals)
Log.warn("\tConnections to referrals are unencrypted! If you do not want this, please turn off ldap.autoFollowReferrals");
}
// Specify timeout to be 10 seconds, only on non SSL since SSL connections
// break with a timeout.
if (!sslEnabled) {
env.put("com.sun.jndi.ldap.connect.timeout", "10000");
}
if (readTimeout > 0) {
env.put("com.sun.jndi.ldap.read.timeout", String.valueOf(readTimeout));
}
if (ldapDebugEnabled) {
env.put("com.sun.jndi.ldap.trace.ber", System.err);
}
if (followReferrals) {
env.put(Context.REFERRAL, "follow");
}
if (!followAliasReferrals) {
env.put("java.naming.ldap.derefAliases", "never");
}
if (debug) {
Log.debug("LdapManager: Created context values, attempting to create context...");
}
ctx = new JiveInitialLdapContext(env, null);
if (startTlsEnabled && !sslEnabled) {
if (debug) {
Log.debug("LdapManager: ... StartTlsRequest");
}
// Perform a StartTLS extended operation
StartTlsResponse tls = (StartTlsResponse)
ctx.extendedOperation(new StartTlsRequest());
/* Open a TLS connection (over the existing LDAP association) and
get details of the negotiated TLS session: cipher suite,
peer certificate, etc. */
try {
SSLSession session = tls.negotiate(new org.jivesoftware.util.SimpleSSLSocketFactory());
ctx.setTlsResponse(tls);
ctx.setSslSession(session);
if (debug) {
Log.debug("LdapManager: ... peer host: "
+ session.getPeerHost()
+ ", CipherSuite: " + session.getCipherSuite());
}
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL,
userDN + "," + baseDN);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
} catch (java.io.IOException ex) {
Log.error(ex.getMessage(), ex);
}
// make at least one lookup to check authorization
lookupExistence(
ctx,
userDN + "," + baseDN,
new String[] {usernameField});
}
if (debug) {
Log.debug("LdapManager: ... context created successfully, returning.");
}
}
catch (NamingException ne) {
// If an alt baseDN is defined, attempt a lookup there.
if (alternateBaseDN != null) {
try {
if (ctx != null) {
ctx.close();
}
}
catch (Exception e) {
Log.error(e.getMessage(), e);
}
try {
// See if the user authenticates.
Hashtable<String, Object> env = new Hashtable<String, Object>();
// Use a custom initial context factory if specified. Otherwise, use the default.
env.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
env.put(Context.PROVIDER_URL, getProviderURL(alternateBaseDN));
if (sslEnabled) {
env.put("java.naming.ldap.factory.socket", "org.jivesoftware.util.SimpleSSLSocketFactory");
env.put(Context.SECURITY_PROTOCOL, "ssl");
}
/* If startTLS is requested we MUST NOT bind() before
* the secure connection has been established. */
if (!(startTlsEnabled && !sslEnabled)) {
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, userDN + "," + alternateBaseDN);
env.put(Context.SECURITY_CREDENTIALS, password);
}
// Specify timeout to be 10 seconds, only on non SSL since SSL connections
// break with a timemout.
if (!sslEnabled) {
env.put("com.sun.jndi.ldap.connect.timeout", "10000");
}
if (ldapDebugEnabled) {
env.put("com.sun.jndi.ldap.trace.ber", System.err);
}
if (followReferrals) {
env.put(Context.REFERRAL, "follow");
}
if (!followAliasReferrals) {
env.put("java.naming.ldap.derefAliases", "never");
}
if (debug) {
Log.debug("LdapManager: Created context values, attempting to create context...");
}
ctx = new JiveInitialLdapContext(env, null);
if (startTlsEnabled && !sslEnabled) {
if (debug) {
Log.debug("LdapManager: ... StartTlsRequest");
}
// Perform a StartTLS extended operation
StartTlsResponse tls = (StartTlsResponse)
ctx.extendedOperation(new StartTlsRequest());
/* Open a TLS connection (over the existing LDAP association) and
get details of the negotiated TLS session: cipher suite,
peer certificate, etc. */
try {
SSLSession session = tls.negotiate(new org.jivesoftware.util.SimpleSSLSocketFactory());
ctx.setTlsResponse(tls);
ctx.setSslSession(session);
if (debug) {
Log.debug("LdapManager: ... peer host: "
+ session.getPeerHost()
+ ", CipherSuite: " + session.getCipherSuite());
}
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL,
userDN + "," + alternateBaseDN);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
} catch (java.io.IOException ex) {
Log.error(ex.getMessage(), ex);
}
// make at least one lookup to check user authorization
lookupExistence(
ctx,
userDN + "," + alternateBaseDN,
new String[] {usernameField});
}
}
catch (NamingException e) {
if (debug) {
Log.debug("LdapManager: Caught a naming exception when creating InitialContext", ne);
}
return false;
}
}
else {
if (debug) {
Log.debug("LdapManager: Caught a naming exception when creating InitialContext", ne);
}
return false;
}
}
finally {
try {
if (ctx != null) {
ctx.close();
}
}
catch (Exception e) {
Log.error(e.getMessage(), e);
}