how to listen ldap client requests on port 636 with unboundid ldap listener

StackOverflow https://stackoverflow.com/questions/14642355

  •  06-03-2022
  •  | 
  •  

Question

I have created a test environment. I have one ldap client, ldap listener (as a ldap proxy) and a ldap server. Ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy decodes the ldap requests and forwards them to the ldap server on port 389. And the proxy forwards the reply of the ldap server to ldap client successfully.

I created SSL certificate on ldap server. And this time I tested that ldap client sends ldap requests to ldap proxy on port 389 (SSL). Ldap proxy forwarded requests to the ldap server on port 636. And the proxy forwards the reply of the ldap server to ldap client successfully.

But there is a problem when I try to use SSL on both sides. I mean

ldap client (port 636) -> ldap proxy (port 636) -> ldap server (port 636)

My client throws an exception

javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

I am using unboundid ldap sdk and LdapDebugger example as a ldap proxy. How can I configure ldaplistener to accept SSL encrypted requests(port 636)?

thanks in advance...

Was it helpful?

Solution

If you're using the ldap-debugger tool provided with the LDAP SDK, it currently only supports SSL for communicating with the backend server, but not when communicating with a client. That is, the "--useSSL" option applies only for communication between the LDAP debugger and the backend directory server, and not between the client and the LDAP debugger. However, because this is potentially a very useful feature, I have just committed a set of changes that add this capability, so if you check out and build the latest version of the LDAP SDK, you will find that the ldap-debugger tool has a new "--listenUsingSSL" argument that controls this.

Note that regardless of whether you're using the ldap-debugger tool or you have created your own listener via Java code, you need to ensure that you have a Java keystore that contains the SSL certificate that will be presented to clients. If the LDAP server you're using is Java-based (e.g., the in-memory directory server provided with the LDAP SDK), then you probably already have this. Otherwise, you'll need to create one. If you're just doing this for testing purposes, a self-signed certificate should be just fine (as long as the client trusts it, or is configured to blindly trust all certificates).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top