Active Directory traffic not encrypted
Peter Schober
peter.schober at univie.ac.at
Sat Sep 15 05:42:47 EDT 2018
* Rochford, Mike <MRochford at STARKSTATE.EDU> [2018-09-14 16:58]:
> I’ve figured this out. There was a setting in the dataconnecter
> used in the attribute-resolver.xml file that was using
> useStartTLS=true.
The default (example) attribute-resolver.xml as shipped by the project
does not contain any LDAP connections at all. The (not active)
examples attribute-resolver-ldap.xml and attribute-resolver-full.xml
do, but they includes the following line:
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
Meaning startTLS would only be true IFF the referenced property was
undefined. And in the default ldap.properties file that property is
pre-defined to re-use the value from the propery
idp.authn.LDAP.useStartTLS.
So if you set idp.authn.LDAP.useStartTLS=false in ldap.properties then
idp.attribute.resolver.LDAP.useStartTLS would also be false and the
LDAP DataConnector you mentioned above wouldn't try to startTLS.
I guess all that means is that we're back to what Daniel said, because
with the two ldap.properties files posted that shouldn't happen.
Maybe you commented out idp.authn.LDAP.useStartTLS at some point
(which would default it to true) when configuring an ldaps:// URL, or
something like that? Also remember that property file changes require
a restart of the servlet container.
-peter
More information about the users
mailing list