Uploaded image for project: 'Directory Client API'
  1. Directory Client API
  2. DIRAPI-173

When using TLS and multiple binds, LdapNetworkConnection attempts to start TLS multiple times

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-M20
    • Fix Version/s: 1.0.0-M21
    • Labels:
      None
    • Environment:
      OpenLDAP 2.4.28

      Description

      As per RFC 4511, it's valid to send multiple bind requests in a session to change authentication. However, this doesn't appear to be working for me when connecting to OpenLDAP with TLS enabled.

      http://tools.ietf.org/html/rfc4511#section-4.2.1

      To reproduce, create a LdapConnectionConfig with useTls set to true, create a LdapNetworkConnection using this config, and bind multiple times. Each bind will result in startTls being called.

      In my environment, this results in an exception:

      ERROR [2014-01-13 16:19:15,132] com.yammer.dropwizard.jersey.LoggingExceptionMapper: Error handling a request: 9d18293abdadfe2a
      ! org.apache.directory.api.ldap.model.exception.LdapOperationException: TLS already started
      ! at org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678) ~[vault-shadow.jar:0.1.0]
      ! at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1161) ~[vault-shadow.jar:0.1.0]
      ! at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076) ~[vault-shadow.jar:0.1.0]
      ! at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:121) ~[vault-shadow.jar:0.1.0]
      ! at org.apache.directory.ldap.client.api.LdapConnection$bind.call(Unknown Source) ~[na:na]
      ...
      

        Activity

        Hide
        david@carr.name David Carr added a comment -

        Attached patch appears to fix the issue for me. It moves the startTls call from bindAsync (which is called for each bind) to the end of connect (which is only reached if it's actually necessary to initialize a new connection).

        Show
        david@carr.name David Carr added a comment - Attached patch appears to fix the issue for me. It moves the startTls call from bindAsync (which is called for each bind) to the end of connect (which is only reached if it's actually necessary to initialize a new connection).
        Hide
        elecharny Emmanuel Lecharny added a comment -

        Thanks for the patch. We will review it asap.

        Show
        elecharny Emmanuel Lecharny added a comment - Thanks for the patch. We will review it asap.
        Hide
        akiran Kiran Ayyagari added a comment -

        Applied a different fix than the one in the proposed patch cause connect() method is independent of bind().
        See http://svn.apache.org/r1559772

        Show
        akiran Kiran Ayyagari added a comment - Applied a different fix than the one in the proposed patch cause connect() method is independent of bind(). See http://svn.apache.org/r1559772
        Hide
        elecharny Emmanuel Lecharny added a comment -

        Closing the resolved issues.

        Show
        elecharny Emmanuel Lecharny added a comment - Closing the resolved issues.

          People

          • Assignee:
            elecharny Emmanuel Lecharny
            Reporter:
            david@carr.name David Carr
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development