[patch] StartTLS for LDAP queries

This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.

There are a few drawbacks when using TLS instead of SSL:

  • The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.
  • Context.REFERRAL = “follow” is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).
  • checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).
  • You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.

I am currently testing it with openfire 3.6.4 against Active Directory’s LDAP service.




Thanks for your contribution, I filed OF-66 to track this patch.


Daniel, did your testing bring any interesting findings to light?

(You posted an empty response?)

It seems that the system did not accept my email.

Unfortunately I was not able to make any further tests since my boss decided to cancel the “Instant messaging project”.


It’s a pity, because I even wrote a patch for PSI to support Kerberos auth on Windows clients. :frowning:

Ah, too bad. I couldn’t find any major issue in your patch - it will be part of the next release of Openfire.

Sorry to bring an old thread back, but has it been added to openfire?

I can’t find anything about TLS support for LDAP querries.


Well, the ticket is closed and in the comments Guus says that he has commited the patch.