Uploaded image for project: 'Directory Client API'
  1. Directory Client API
  2. DIRAPI-227

Bind user dn and password sent in clear after receiving PROTOCOL_ERROR during ldaps connection

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-M28
    • Fix Version/s: 1.0.0
    • Labels:
      None

      Description

      I was attempting to use M28 and was having issues getting LDAPS to work (startTLS appeared to work just fine). After several repeated bind and unbind operations, the LDAPS connection would eventually fail with a PROTOCOL_ERROR and never bind again. However, when it was attempting to bind after receiving that error, it would then send the bind user and password in the clear. This was confirmed by looking in the LDAP server logs and also by Wireshark.

      I ran with debug turned on and this is what it receives during a failure (which is after a long string of successes, by the way). I omitted my project's code from the trace for clarity:

      14:53:55,447 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 1028 | ts-ldapclaimshandler | Bind request
      14:53:55,450 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 1270 | ts-ldapclaimshandler | Sending request
      MessageType : BIND_REQUEST
      Message ID : 1
      BindRequest
      Version : '3'
      Name : 'cn=admin'
      Simple authentication : '(omitted-for-safety)'

      14:53:55,450 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 280 | ts-ldapclaimshandler | Adding <1, org.apache.directory.ldap.client.api.future.BindFuture>
      14:53:55,654 | DEBUG | NioProcessor-3 | .ldap.client.api.LdapNetworkConnection$1 660 | ts-ldapclaimshandler | received a NoD, closing everything
      14:53:55,654 | DEBUG | NioProcessor-3 | .ldap.client.api.LdapNetworkConnection$1 665 | ts-ldapclaimshandler | closing BindFuture[msgId : 1, size : 0, Canceled :false]
      14:53:55,656 | DEBUG | tp1920834220-484 | ry.ldap.client.api.LdapNetworkConnection 1201 | ts-ldapclaimshandler | Bind failed : MessageType : BIND_RESPONSE
      Message ID : -1
      BindResponse
      Ldap Result
      Result code : (PROTOCOL_ERROR) protocolError
      Matched Dn : 'null'
      Diagnostic message : 'PROTOCOL_ERROR: The server will disconnect!'

      14:53:55,656 | ERROR | tp1920834220-484 | rity.sts.claimsHandler.RoleClaimsHandler 238 | ts-ldapclaimshandler | Unable to set role claims.
      org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: PROTOCOL_ERROR: The server will disconnect!
      at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2163)
      at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1035)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              stustison Scott Tustison
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: