An earlier entry demonstrating LDAP Basics with Java uses an unsecured LDAP connection even for authentication. Someone who gets the packets could get the passwords when users do simple authentication. So that scheme will not work in some environments.
One way to get around the problem is to enable SSL (LDAPS) on the LDAP server, and then connect over SSL. If you have official certificates recognized by your Java development kit, moving from an unsecured to a secure SSL connection is as easy as changing the LDAP URL you use to connect. For example, if your Java code currently uses this JNDI:
int port = 389; // Default for LDAP env.put(Context.PROVIDER_URL, "ldap://" + server + ":" + port + "/");
You need only make sure port is pointing to the SSL port, by default 636 instead of 389, and add an s:
int port = 636; // Default for LDAPS env.put(Context.PROVIDER_URL, "ldaps://" + server + ":" + port + "/");
The OpenDS server on my laptop is using a self-signed cert for testing. I found a blog entry on how to get that cert easily into %JAVA_HOME%\jre\lib\security\jssecacerts. See http://blogs.sun.com/andreas/entry/no_more_unable_to_find and the InstallCert.java code posted there.
The laptop has hostname FR-MCRAIG-01, so here is how I got the OpenDS server cert into the keystore.
C:\Program Files\Java\jdk1.6.0_10\jre\lib\security>java InstallCert FR-MCRAIG-01:1636 Loading KeyStore C:\Program Files\Java\jdk1.6.0_10\jre\lib\security\cacerts... Opening connection to FR-MCRAIG-01:1636... Starting SSL handshake... ... Server sent 1 certificate(s): 1 Subject CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate Issuer CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate sha1 c8 65 09 20 6d cd ce 49 74 79 94 db c5 de c0 9e 88 22 bf 2e md5 91 00 22 b5 af af ce 6f 18 4f d0 53 2a 25 25 79 Enter certificate to add to trusted keystore or 'q' to quit: [1] 1 [ [ Version: V3 Subject: CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 959636547431068463830836243017478926177556680160559342022702329015019 40821365387949638940708183584259305099964566669834719666082227059496757860621285 33579944708236976067614804323567219627938381230112392624635758595410619743902787 1114358806677720711353274033441757994535828245906353046883352879347380951654609 public exponent: 65537 Validity: [From: Tue Aug 04 15:35:44 CEST 2009, To: Thu Aug 04 15:35:44 CEST 2011] Issuer: CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate SerialNumber: [ 4a783930] ] Algorithm: [SHA1withRSA] Signature: 0000: 60 21 E2 C0 09 D5 11 C8 80 91 55 44 A3 C3 D2 39 `!........UD...9 0010: 37 04 89 76 31 0E 40 9F 11 6D 79 E9 CB 14 1D 63 7..v1.@..my....c 0020: 6B 7B 0E 2A DF 74 18 BD 59 07 44 73 72 C0 D3 EA k..*.t..Y.Dsr... 0030: 61 E1 A7 79 90 EE 73 AB A0 40 FF F7 A9 F5 CA 0B a..y..s..@...... 0040: 6E FE 81 14 E3 1B 5C 50 83 96 9B B7 23 8C 8C ED n.....\P....#... 0050: 7D 1C 22 BA DF 20 8D F4 82 8D 72 20 2C 31 41 3D ..".. ....r ,1A= 0060: 36 01 95 78 23 C2 46 56 D1 9E DC E4 22 E9 0E A9 6..x#.FV...."... 0070: 99 2E 27 EC 96 D4 41 F2 C0 7A 89 2D 02 AF FB F5 ..'...A..z.-.... ] Added certificate to keystore 'jssecacerts' using alias 'FR-MCRAIG-01-1'
In InstallCert.java the default passphrase is changeit. In addition to the change of port number and the use of ldaps:// instead of ldap://, I added this Java to the top of the conf.jsp in the application posted.
// Use the keystore that contains the OpenDS cert
String keystorePath = System.getProperty("java.home") +
"\\lib\\security\\jssecacerts";
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
Hope it helps.
