How to ensure LDAP connection over SSL from JNDI

Question

Hi,

I am new to LDAP and JNDI. I have setup a LDAP server with SSL using OpenDS and a client which uses JNDI to access LDAP.

What can I do to ensure that I am really communicating via SSL to the LDAP server? This is because I don't really see any difference from the client side when i am trying to accessing LDAP via SSL and without.

Any directions would be appreciated.

EDITED

I have setup the LDAP server using OpenDS. The directory only consist of 1 user. It's DN is uid=defaultuser,ou=User,o=IT,dc=QuizPortal. The LDAP port = 1389 and SSL port = 1636. The default port 389 & 636 is currently being used by some other programs. I have also selected an option of generate self-sign certification.

The below is the code from the Client side. It basically do a simple query of the user's attributes.

public static void main(String[] args)
{
    String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
    String MY_HOST = "ldap://KhooGP-Comp3:1389";
    String MGR_DN = "cn=Directory Manager";
    String MGR_PW = "password";
    String MY_SEARCHBASE = "ou=User,o=IT,dc=QuizPortal";
    String MY_FILTER = "uid=defaultuser";
    String MY_ATTRS[] = {"cn", "telephoneNumber", "userPassword"};

    //Identify service provider to use
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
    env.put(Context.PROVIDER_URL, MY_HOST);

    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
    env.put(Context.SECURITY_CREDENTIALS, MGR_PW);

    try
    {
        // Create the initial directory context
        InitialDirContext initialContext = new InitialDirContext(env);
        DirContext ctx = (DirContext)initialContext;

        System.out.println("Context Sucessfully Initialized");

        SearchControls constraints = new SearchControls();
        constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);

        NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);

        while(results != null && results.hasMore())
        {
            SearchResult sr = (SearchResult) results.next();
            String dn = sr.getName() + "," + MY_SEARCHBASE;
            System.out.println("Distinguished Name is " + dn);

            Attributes ar = ctx.getAttributes(dn, MY_ATTRS);

            if(ar == null)
            {
                System.out.println("Entry " + dn);
                System.out.println(" has none of the specified attributes\n");
            }
            else
            {
                for(int i=0; i<MY_ATTRS.length; i++)
                {
                    Attribute attr = ar.get(MY_ATTRS[i]);
                    System.out.println(MY_ATTRS[i] + ":");

                    for(Enumeration vals=attr.getAll(); vals.hasMoreElements();)
                    {
                        System.out.println("\t" + vals.nextElement());
                    }
                }
            }
        }
    }
    catch(Exception e)
    {
        System.err.println(e);
    }
}

I have also did netstat as per adviced and there is a communication on port 1636. So does that means I am really communicating on SSL already???

Kevin

Answer 1

On the server end you could require authenticated binds, then if you were NOT doing SSL then your app would fail.

You could packet trace it to see if the data is clear text or encrypted.

If you are using LDAP over SSL you are using port 636 in all likelyhood. So you could netstat to see what port you have connected on.

If you are using TLS it is harder, since you use 389, but with StartTLS it starts clear text, then converts to using encryption.

Do it in code? Dunno.