external-software/github_OpenIdentityPlatform_OpenDJ.git

Update the LDAP connection handler so that it only attempts to verify the k...

neil_a_wilson

27.13.2007 d2f8eac230a525a06a4659a66c38eb26139fa735

 opends/src/server/org/opends/server/messages/ProtocolMessages.java

@@ -4359,6 +4359,28 @@


  /**
   * The message ID for the message that will be used if either SSL or StartTLS
   * support is enabled but no key manager provider is configured for the
   * connection handler.  This takes a single argument, which is the DN of the
   * connection handler configuration entry.
   */
  public static final int MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN =
       CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_SEVERE_ERROR | 402;



  /**
   * The message ID for the message that will be used if either SSL or StartTLS
   * support is enabled but no trust manager provider is configured for the
   * connection handler.  This takes a single argument, which is the DN of the
   * connection handler configuration entry.
   */
  public static final int MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN =
       CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_SEVERE_ERROR | 403;



  /**
   * Associates a set of generic messages with the message IDs defined in this
   * class.
   */
@@ -5523,6 +5545,16 @@
                    "operation.  These options may not be used at the same " +
                    "time, so clients will not be allowed to use the " +
                    "StartTLS operation.");
    registerMessage(MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN,
                    "The LDAP connection handler defined in configuration " +
                    "entry %s is configured to use either SSL or StartTLS, " +
                    "but does not specify which key manager provider should " +
                    "be used.");
    registerMessage(MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN,
                    "The LDAP connection handler defined in configuration " +
                    "entry %s is configured to use either SSL or StartTLS, " +
                    "but does not specify which trust manager provider " +
                    "should be used.");
    registerMessage(MSGID_LDAP_CONNHANDLER_CANNOT_DETERMINE_ALLOW_STARTTLS,
                    "An unexpected error occurred while processing the " +
                    ATTR_ALLOW_STARTTLS + " attribute in configuration entry " +

 opends/src/server/org/opends/server/protocols/ldap/LDAPConnectionHandler.java

@@ -577,31 +577,42 @@
          ErrorLogSeverity.SEVERE_WARNING, message, msgID);
    }

    // Validate the key manager provider DN.
    DN keyManagerProviderDN = config.getKeyManagerProviderDN();
    if (keyManagerProviderDN != null) {
      KeyManagerProvider provider = DirectoryServer
          .getKeyManagerProvider(keyManagerProviderDN);
      if (provider == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
        String message = getMessage(msgID, String
            .valueOf(config.dn()), String
            .valueOf(keyManagerProviderDN));
    if (config.isAllowStartTLS() || config.isUseSSL())
    {
      // Validate the key manager provider DN.
      DN keyManagerProviderDN = config.getKeyManagerProviderDN();
      if (keyManagerProviderDN == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN;
        String message = getMessage(msgID, String.valueOf(config.dn()));
        throw new ConfigException(msgID, message);
      } else {
        KeyManagerProvider provider = DirectoryServer
            .getKeyManagerProvider(keyManagerProviderDN);
        if (provider == null) {
          int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
          String message = getMessage(msgID, String
              .valueOf(config.dn()), String
              .valueOf(keyManagerProviderDN));
          throw new ConfigException(msgID, message);
        }
      }
    }

    // Validate the trust manager provider DN.
    DN trustManagerProviderDN = config.getTrustManagerProviderDN();
    if (trustManagerProviderDN != null) {
      TrustManagerProvider provider = DirectoryServer
          .getTrustManagerProvider(trustManagerProviderDN);
      if (provider == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
        String message = getMessage(msgID, String
            .valueOf(config.dn()), String
            .valueOf(trustManagerProviderDN));
      // Validate the trust manager provider DN.
      DN trustManagerProviderDN = config.getTrustManagerProviderDN();
      if (trustManagerProviderDN == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN;
        String message = getMessage(msgID, String.valueOf(config.dn()));
        throw new ConfigException(msgID, message);
      } else {
        TrustManagerProvider provider = DirectoryServer
            .getTrustManagerProvider(trustManagerProviderDN);
        if (provider == null) {
          int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
          String message = getMessage(msgID, String
              .valueOf(config.dn()), String
              .valueOf(trustManagerProviderDN));
          throw new ConfigException(msgID, message);
        }
      }
    }

@@ -739,31 +750,44 @@
      isAcceptable = false;
    }

    // Validate the key manager provider DN.
    DN keyManagerProviderDN = config.getKeyManagerProviderDN();
    if (keyManagerProviderDN != null) {
      KeyManagerProvider provider = DirectoryServer
          .getKeyManagerProvider(keyManagerProviderDN);
      if (provider == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
        unacceptableReasons.add(getMessage(msgID, String
            .valueOf(config.dn()), String
            .valueOf(keyManagerProviderDN)));
    if (config.isAllowStartTLS() || config.isUseSSL())
    {
      // Validate the key manager provider DN.
      DN keyManagerProviderDN = config.getKeyManagerProviderDN();
      if (keyManagerProviderDN == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN;
        String message = getMessage(msgID, String.valueOf(config.dn()));
        unacceptableReasons.add(message);
        isAcceptable = false;
      } else {
        KeyManagerProvider provider = DirectoryServer
            .getKeyManagerProvider(keyManagerProviderDN);
        if (provider == null) {
          int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
          unacceptableReasons.add(getMessage(msgID, String
              .valueOf(config.dn()), String
              .valueOf(keyManagerProviderDN)));
          isAcceptable = false;
        }
      }
    }

    // Validate the trust manager provider DN.
    DN trustManagerProviderDN = config.getTrustManagerProviderDN();
    if (trustManagerProviderDN != null) {
      TrustManagerProvider provider = DirectoryServer
          .getTrustManagerProvider(trustManagerProviderDN);
      if (provider == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
        unacceptableReasons.add(getMessage(msgID, String
            .valueOf(config.dn()), String
            .valueOf(trustManagerProviderDN)));
      // Validate the trust manager provider DN.
      DN trustManagerProviderDN = config.getTrustManagerProviderDN();
      if (trustManagerProviderDN == null) {
        int msgID = MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN;
        String message = getMessage(msgID, String.valueOf(config.dn()));
        unacceptableReasons.add(message);
        isAcceptable = false;
      } else {
        TrustManagerProvider provider = DirectoryServer
            .getTrustManagerProvider(trustManagerProviderDN);
        if (provider == null) {
          int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
          unacceptableReasons.add(getMessage(msgID, String
              .valueOf(config.dn()), String
              .valueOf(trustManagerProviderDN)));
          isAcceptable = false;
        }
      }
    }


 opends/tests/unit-tests-testng/src/server/org/opends/server/protocols/ldap/TestLDAPConnectionHandler.java

@@ -51,270 +51,276 @@

public class TestLDAPConnectionHandler extends LdapTestCase {

   private static String reasonMsg="Don't need a reason.";
  private static String reasonMsg="Don't need a reason.";

   /**
    * Once-only initialization.
    * 
    * @throws Exception
    *           If an unexpected error occurred.
    */
   @BeforeClass
   public void setUp() throws Exception {
      // This test suite depends on having the schema available, so we'll
      // start the server.
      TestCaseUtils.startServer();
   }
  /**
   * Once-only initialization.
   *
   * @throws Exception
   *           If an unexpected error occurred.
   */
  @BeforeClass
  public void setUp() throws Exception {
    // This test suite depends on having the schema available, so we'll
    // start the server.
    TestCaseUtils.startServer();
  }

   @Test()
   /**
    *  Creates two handlers, one which is SSL type. Then change some values via the setter
    *  methods.
    *  
    * @throws Exception if the handler cannot be instantiated.
    */
   public void testLDAPConnectionHandler() throws Exception {
      Entry LDAPHandlerEntry=null;
  @Test()
  /**
   *  Creates two handlers, one which is SSL type. Then change some values via the setter
   *  methods.
   *
   * @throws Exception if the handler cannot be instantiated.
   */
  public void testLDAPConnectionHandler() throws Exception {
    Entry LDAPHandlerEntry=null;

      LDAPHandlerEntry=TestCaseUtils.makeEntry(
            "dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config",
            "objectClass: top",
            "objectClass: ds-cfg-connection-handler",
            "objectClass: ds-cfg-ldap-connection-handler",
            "cn: LDAP Connection Handler",
            "ds-cfg-connection-handler-class: org.opends.server.protocols.ldap.LDAPConnectionHandler",
            "ds-cfg-connection-handler-enabled: true",
            "ds-cfg-listen-address: 0.0.0.0",
            "ds-cfg-accept-backlog: 128",
            "ds-cfg-allow-ldapv2: false",
            "ds-cfg-keep-stats: false",
            "ds-cfg-use-tcp-keepalive: true",
            "ds-cfg-use-tcp-nodelay: true",
            "ds-cfg-allow-tcp-reuse-address: true",
            "ds-cfg-send-rejection-notice: true",
            "ds-cfg-max-request-size: 5 megabytes",
            "ds-cfg-num-request-handlers: 2",
            "ds-cfg-allow-start-tls: false",
            "ds-cfg-use-ssl: false",
            "ds-cfg-ssl-client-auth-policy: optional",
      "ds-cfg-ssl-cert-nickname: server-cert");
      LDAPConnectionHandler LDAPConnHandler=getLDAPHandlerInstance(LDAPHandlerEntry);
      LDAPConnHandler.allowLDAPv2();
      LDAPConnHandler.allowStartTLS();
      LDAPConnHandler.keepStats();
      LDAPConnHandler.toString(new StringBuilder());
      LDAPConnHandler.toString();
      LDAPStatistics tracker=LDAPConnHandler.getStatTracker();
      LinkedHashMap<String,String> alerts = LDAPConnHandler.getAlerts();
      String c=LDAPConnHandler.getClassName();
      DN dn = LDAPConnHandler.getComponentEntryDN();
      String[] cips = LDAPConnHandler.getEnabledSSLCipherSuites();
      String[] protos = LDAPConnHandler.getEnabledSSLProtocols();
      int maxReqSize = LDAPConnHandler.getMaxRequestSize();
      String shutListName=LDAPConnHandler.getShutdownListenerName();
      SSLClientAuthPolicy policy = LDAPConnHandler.getSSLClientAuthPolicy();
      Collection<ClientConnection> cons=LDAPConnHandler.getClientConnections();
      LDAPConnHandler.processServerShutdown(reasonMsg);
      //Reset some things for the SSL handler	
      Attribute useSSL=new Attribute(ATTR_USE_SSL, String.valueOf(false));
      Attribute startTls=new Attribute(ATTR_ALLOW_STARTTLS, String.valueOf(false));
      AttributeType attrType=DirectoryServer.getAttributeType(ATTR_LISTEN_PORT, true);
      Attribute a=new Attribute(attrType);
      LDAPHandlerEntry.removeAttribute(a, null);
      LDAPHandlerEntry.removeAttribute(useSSL, null);
      LDAPHandlerEntry.removeAttribute(startTls, null);
      Attribute useSSL1=new Attribute(ATTR_USE_SSL, String.valueOf(true));
      Attribute startTls1=new Attribute(ATTR_ALLOW_STARTTLS, String.valueOf(true));
      LDAPHandlerEntry.addAttribute(useSSL1,null);
      LDAPHandlerEntry.addAttribute(startTls1,null);
      LDAPConnectionHandler LDAPSConnHandler = getLDAPHandlerInstance(LDAPHandlerEntry);
      LDAPSConnHandler.finalizeConnectionHandler(reasonMsg, true);
      LDAPConnHandler.processServerShutdown(reasonMsg);
   }
    LDAPHandlerEntry=TestCaseUtils.makeEntry(
        "dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config",
        "objectClass: top",
        "objectClass: ds-cfg-connection-handler",
        "objectClass: ds-cfg-ldap-connection-handler",
        "cn: LDAP Connection Handler",
        "ds-cfg-connection-handler-class: org.opends.server.protocols.ldap.LDAPConnectionHandler",
        "ds-cfg-connection-handler-enabled: true",
        "ds-cfg-listen-address: 0.0.0.0",
        "ds-cfg-accept-backlog: 128",
        "ds-cfg-allow-ldapv2: false",
        "ds-cfg-keep-stats: false",
        "ds-cfg-use-tcp-keepalive: true",
        "ds-cfg-use-tcp-nodelay: true",
        "ds-cfg-allow-tcp-reuse-address: true",
        "ds-cfg-send-rejection-notice: true",
        "ds-cfg-max-request-size: 5 megabytes",
        "ds-cfg-num-request-handlers: 2",
        "ds-cfg-allow-start-tls: false",
        "ds-cfg-use-ssl: false",
        "ds-cfg-ssl-client-auth-policy: optional",
        "ds-cfg-ssl-cert-nickname: server-cert",
        "ds-cfg-key-manager-provider-dn: cn=JKS,cn=Key Manager Providers,cn=config",
        "ds-cfg-trust-manager-provider-dn: cn=JKS,cn=Trust Manager Providers,cn=config");
    LDAPConnectionHandler LDAPConnHandler=getLDAPHandlerInstance(LDAPHandlerEntry);
    LDAPConnHandler.allowLDAPv2();
    LDAPConnHandler.allowStartTLS();
    LDAPConnHandler.keepStats();
    LDAPConnHandler.toString(new StringBuilder());
    LDAPConnHandler.toString();
    LDAPStatistics tracker=LDAPConnHandler.getStatTracker();
    LinkedHashMap<String,String> alerts = LDAPConnHandler.getAlerts();
    String c=LDAPConnHandler.getClassName();
    DN dn = LDAPConnHandler.getComponentEntryDN();
    String[] cips = LDAPConnHandler.getEnabledSSLCipherSuites();
    String[] protos = LDAPConnHandler.getEnabledSSLProtocols();
    int maxReqSize = LDAPConnHandler.getMaxRequestSize();
    String shutListName=LDAPConnHandler.getShutdownListenerName();
    SSLClientAuthPolicy policy = LDAPConnHandler.getSSLClientAuthPolicy();
    Collection<ClientConnection> cons=LDAPConnHandler.getClientConnections();
    LDAPConnHandler.processServerShutdown(reasonMsg);
    //Reset some things for the SSL handler
    Attribute useSSL=new Attribute(ATTR_USE_SSL, String.valueOf(false));
    Attribute startTls=new Attribute(ATTR_ALLOW_STARTTLS, String.valueOf(false));
    AttributeType attrType=DirectoryServer.getAttributeType(ATTR_LISTEN_PORT, true);
    Attribute a=new Attribute(attrType);
    LDAPHandlerEntry.removeAttribute(a, null);
    LDAPHandlerEntry.removeAttribute(useSSL, null);
    LDAPHandlerEntry.removeAttribute(startTls, null);
    Attribute useSSL1=new Attribute(ATTR_USE_SSL, String.valueOf(true));
    Attribute startTls1=new Attribute(ATTR_ALLOW_STARTTLS, String.valueOf(true));
    LDAPHandlerEntry.addAttribute(useSSL1,null);
    LDAPHandlerEntry.addAttribute(startTls1,null);
    LDAPConnectionHandler LDAPSConnHandler = getLDAPHandlerInstance(LDAPHandlerEntry);
    LDAPSConnHandler.finalizeConnectionHandler(reasonMsg, true);
    LDAPConnHandler.processServerShutdown(reasonMsg);
  }

   @Test(expectedExceptions=ConfigException.class)
   /**
    *  Start a handler an then give its hasAcceptableConfiguration a ConfigEntry with
    *  numerous invalid cases and single-valued attrs with duplicate values.
    *  
    * @throws Exception if handler cannot be instantiated or the configuration is 
    *                   accepted.
    */
   public void testBadLDAPConnectionHandlerConfiguration() throws Exception
   {
      Entry BadHandlerEntry=TestCaseUtils.makeEntry(
            "dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config",
            "objectClass: top",
            "objectClass: ds-cfg-connection-handler",
            "objectClass: ds-cfg-ldap-connection-handler",
            "cn: LDAP Connection Handler",
            "ds-cfg-connection-handler-class: org.opends.server.protocols.ldap.LDAPConnectionHandler",
            "ds-cfg-connection-handler-enabled: true",
            "ds-cfg-listen-address: 0.0.0.0",
            "ds-cfg-accept-backlog: 128",
            "ds-cfg-allow-ldapv2: false",
            "ds-cfg-keep-stats: false",
            "ds-cfg-use-tcp-keepalive: true",
            "ds-cfg-use-tcp-nodelay: true",
            "ds-cfg-allow-tcp-reuse-address: true",
            "ds-cfg-send-rejection-notice: true",
            "ds-cfg-max-request-size: 5 megabytes",
            "ds-cfg-num-request-handlers: 2",
            "ds-cfg-allow-start-tls: false",
            "ds-cfg-use-ssl: false",
            "ds-cfg-ssl-client-auth-policy: optional",
      "ds-cfg-ssl-cert-nickname: server-cert");
		
    // Add some invalid attrs and some duplicate attrs 
      Attribute a2=new Attribute(ATTR_LISTEN_PORT, String.valueOf(389));
      Attribute a2a=new Attribute(ATTR_LISTEN_PORT, String.valueOf(70000));
      Attribute a3=new Attribute(ATTR_LISTEN_ADDRESS, "localhost");
      Attribute a3a=new Attribute(ATTR_LISTEN_ADDRESS, "FAFASFSDFSADFASDFSDFSDAFAS");
      Attribute a4=new Attribute(ATTR_ACCEPT_BACKLOG, String.valueOf(Long.MAX_VALUE));
      Attribute a5=new Attribute(ATTR_ALLOWED_CLIENT, "129.800.990.45");
      Attribute a6=new Attribute(ATTR_DENIED_CLIENT, "129.");
      Attribute a7=new Attribute(ATTR_ALLOW_LDAPV2, "45");
      Attribute a8=new Attribute(ATTR_KEEP_LDAP_STATS, "45");
      Attribute a9=new Attribute(ATTR_SEND_REJECTION_NOTICE, "45");
      Attribute a10=new Attribute(ATTR_USE_TCP_KEEPALIVE, "45");
      Attribute a11=new Attribute(ATTR_USE_TCP_NODELAY, "45");
      Attribute a12=new Attribute(ATTR_ALLOW_REUSE_ADDRESS, "45");
      Attribute a13=new Attribute(ATTR_MAX_REQUEST_SIZE, "45 FLUBBERBYTES");
      Attribute a14=new Attribute(ATTR_USE_SSL, "45");
      Attribute a15=new Attribute(ATTR_ALLOW_STARTTLS, "45");
      BadHandlerEntry.addAttribute(a2, null);
      BadHandlerEntry.addAttribute(a3, null);
      BadHandlerEntry.addAttribute(a2a, null);
      BadHandlerEntry.addAttribute(a3a, null);
      BadHandlerEntry.addAttribute(a4, null);
      BadHandlerEntry.addAttribute(a5, null);
      BadHandlerEntry.addAttribute(a6, null);
      BadHandlerEntry.addAttribute(a7, null);
      BadHandlerEntry.addAttribute(a8, null);
      BadHandlerEntry.addAttribute(a9, null);
      BadHandlerEntry.addAttribute(a10, null);
      BadHandlerEntry.addAttribute(a11, null);
      BadHandlerEntry.addAttribute(a12, null);
      BadHandlerEntry.addAttribute(a13, null);
      BadHandlerEntry.addAttribute(a14, null);
      BadHandlerEntry.addAttribute(a15, null);
    
      LdapTestCase.getConfiguration(BadHandlerEntry);
   }
  @Test(expectedExceptions=ConfigException.class)
  /**
   *  Start a handler an then give its hasAcceptableConfiguration a ConfigEntry with
   *  numerous invalid cases and single-valued attrs with duplicate values.
   *
   * @throws Exception if handler cannot be instantiated or the configuration is
   *                   accepted.
   */
  public void testBadLDAPConnectionHandlerConfiguration() throws Exception
  {
    Entry BadHandlerEntry=TestCaseUtils.makeEntry(
        "dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config",
        "objectClass: top",
        "objectClass: ds-cfg-connection-handler",
        "objectClass: ds-cfg-ldap-connection-handler",
        "cn: LDAP Connection Handler",
        "ds-cfg-connection-handler-class: org.opends.server.protocols.ldap.LDAPConnectionHandler",
        "ds-cfg-connection-handler-enabled: true",
        "ds-cfg-listen-address: 0.0.0.0",
        "ds-cfg-accept-backlog: 128",
        "ds-cfg-allow-ldapv2: false",
        "ds-cfg-keep-stats: false",
        "ds-cfg-use-tcp-keepalive: true",
        "ds-cfg-use-tcp-nodelay: true",
        "ds-cfg-allow-tcp-reuse-address: true",
        "ds-cfg-send-rejection-notice: true",
        "ds-cfg-max-request-size: 5 megabytes",
        "ds-cfg-num-request-handlers: 2",
        "ds-cfg-allow-start-tls: false",
        "ds-cfg-use-ssl: false",
        "ds-cfg-ssl-client-auth-policy: optional",
        "ds-cfg-ssl-cert-nickname: server-cert",
        "ds-cfg-key-manager-provider-dn: cn=JKS,cn=Key Manager Providers,cn=config",
        "ds-cfg-trust-manager-provider-dn: cn=JKS,cn=Trust Manager Providers,cn=config");

   /**
    * Create handler and then change most of its values and see if
    * it is acceptable and applied.
    * @throws Exception if handler cannot be instantiated.
    */
   @Test()
   public void testGoodLDAPConnectionHandlerConfiguration() throws Exception
   {
      Entry GoodHandlerEntry=TestCaseUtils.makeEntry(
            "dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config",
            "objectClass: top",
            "objectClass: ds-cfg-connection-handler",
            "objectClass: ds-cfg-ldap-connection-handler",
            "cn: LDAP Connection Handler",
            "ds-cfg-connection-handler-class: org.opends.server.protocols.ldap.LDAPConnectionHandler",
            "ds-cfg-connection-handler-enabled: true",
            "ds-cfg-listen-address: 0.0.0.0",
            "ds-cfg-accept-backlog: 128",
            "ds-cfg-allow-ldapv2: false",
            "ds-cfg-keep-stats: false",
            "ds-cfg-use-tcp-keepalive: true",
            "ds-cfg-use-tcp-nodelay: true",
            "ds-cfg-allow-tcp-reuse-address: true",
            "ds-cfg-send-rejection-notice: true",
            "ds-cfg-max-request-size: 5 megabytes",
            "ds-cfg-num-request-handlers: 2",
            "ds-cfg-allow-start-tls: false",
            "ds-cfg-use-ssl: true",
            "ds-cfg-ssl-client-auth-policy: optional",
      "ds-cfg-ssl-cert-nickname: server-cert");
      LDAPConnectionHandler LDAPConnHandler=getLDAPHandlerInstance(GoodHandlerEntry);
      //Make attrTypes to remove
      AttributeType at0=DirectoryServer.getAttributeType(ATTR_LISTEN_PORT, true);
//    AttributeType at1=DirectoryServer.getAttributeType(ATTR_LISTEN_ADDRESS, true);
//    Attribute rAttr1=new Attribute(at1);
//    GoodHandlerEntry.removeAttribute(rAttr1, null);
      AttributeType at2=DirectoryServer.getAttributeType(ATTR_ALLOW_LDAPV2, true);
      AttributeType at3=DirectoryServer.getAttributeType(ATTR_ALLOW_LDAPV2, true);
      AttributeType at4=DirectoryServer.getAttributeType(ATTR_KEEP_LDAP_STATS, true);
      AttributeType at5=DirectoryServer.getAttributeType(ATTR_SEND_REJECTION_NOTICE,true);
      AttributeType at6=DirectoryServer.getAttributeType(ATTR_USE_TCP_KEEPALIVE,true);
      AttributeType at7=DirectoryServer.getAttributeType(ATTR_USE_TCP_NODELAY,true);
      AttributeType at8=DirectoryServer.getAttributeType(ATTR_ALLOW_REUSE_ADDRESS,true);
      AttributeType at9=DirectoryServer.getAttributeType(ATTR_USE_SSL,true);
      AttributeType at10=DirectoryServer.getAttributeType(ATTR_ALLOW_STARTTLS,true);
      AttributeType at11=DirectoryServer.getAttributeType(ATTR_MAX_REQUEST_SIZE,true);
      AttributeType at12=DirectoryServer.getAttributeType(ATTR_ACCEPT_BACKLOG,true);
      //Remove them
      Attribute rAttr0=new Attribute(at0);
      GoodHandlerEntry.removeAttribute(rAttr0, null);
    // Add some invalid attrs and some duplicate attrs
    Attribute a2=new Attribute(ATTR_LISTEN_PORT, String.valueOf(389));
    Attribute a2a=new Attribute(ATTR_LISTEN_PORT, String.valueOf(70000));
    Attribute a3=new Attribute(ATTR_LISTEN_ADDRESS, "localhost");
    Attribute a3a=new Attribute(ATTR_LISTEN_ADDRESS, "FAFASFSDFSADFASDFSDFSDAFAS");
    Attribute a4=new Attribute(ATTR_ACCEPT_BACKLOG, String.valueOf(Long.MAX_VALUE));
    Attribute a5=new Attribute(ATTR_ALLOWED_CLIENT, "129.800.990.45");
    Attribute a6=new Attribute(ATTR_DENIED_CLIENT, "129.");
    Attribute a7=new Attribute(ATTR_ALLOW_LDAPV2, "45");
    Attribute a8=new Attribute(ATTR_KEEP_LDAP_STATS, "45");
    Attribute a9=new Attribute(ATTR_SEND_REJECTION_NOTICE, "45");
    Attribute a10=new Attribute(ATTR_USE_TCP_KEEPALIVE, "45");
    Attribute a11=new Attribute(ATTR_USE_TCP_NODELAY, "45");
    Attribute a12=new Attribute(ATTR_ALLOW_REUSE_ADDRESS, "45");
    Attribute a13=new Attribute(ATTR_MAX_REQUEST_SIZE, "45 FLUBBERBYTES");
    Attribute a14=new Attribute(ATTR_USE_SSL, "45");
    Attribute a15=new Attribute(ATTR_ALLOW_STARTTLS, "45");
    BadHandlerEntry.addAttribute(a2, null);
    BadHandlerEntry.addAttribute(a3, null);
    BadHandlerEntry.addAttribute(a2a, null);
    BadHandlerEntry.addAttribute(a3a, null);
    BadHandlerEntry.addAttribute(a4, null);
    BadHandlerEntry.addAttribute(a5, null);
    BadHandlerEntry.addAttribute(a6, null);
    BadHandlerEntry.addAttribute(a7, null);
    BadHandlerEntry.addAttribute(a8, null);
    BadHandlerEntry.addAttribute(a9, null);
    BadHandlerEntry.addAttribute(a10, null);
    BadHandlerEntry.addAttribute(a11, null);
    BadHandlerEntry.addAttribute(a12, null);
    BadHandlerEntry.addAttribute(a13, null);
    BadHandlerEntry.addAttribute(a14, null);
    BadHandlerEntry.addAttribute(a15, null);

      Attribute rAttr2=new Attribute(at2);
      GoodHandlerEntry.removeAttribute(rAttr2, null);
      Attribute rAttr3=new Attribute(at3);
      GoodHandlerEntry.removeAttribute(rAttr3, null);
      Attribute rAttr4=new Attribute(at4);
      GoodHandlerEntry.removeAttribute(rAttr4, null);
      Attribute rAttr5=new Attribute(at5);
      GoodHandlerEntry.removeAttribute(rAttr5, null);
      Attribute rAttr6=new Attribute(at6);
      GoodHandlerEntry.removeAttribute(rAttr6, null);
      Attribute rAttr7=new Attribute(at7);		
      GoodHandlerEntry.removeAttribute(rAttr7, null);
      Attribute rAttr8=new Attribute(at8);
      Attribute rAttr9=new Attribute(at9);
      Attribute rAttr10=new Attribute(at10);
      Attribute rAttr11=new Attribute(at11);
      Attribute rAttr12=new Attribute(at12);
      GoodHandlerEntry.removeAttribute(rAttr8, null);
      GoodHandlerEntry.removeAttribute(rAttr9, null);
      GoodHandlerEntry.removeAttribute(rAttr10, null);
      GoodHandlerEntry.removeAttribute(rAttr11, null);
      GoodHandlerEntry.removeAttribute(rAttr12, null);
      //Make new AttrTypes with different values
      long newPort=getFreePort();
      Attribute a2=new Attribute(ATTR_LISTEN_PORT, String.valueOf(newPort));
      //uncomment if want to test listen address
//    Attribute a3=new Attribute(ATTR_LISTEN_ADDRESS, "localhost");	
      Attribute a4=new Attribute(ATTR_ACCEPT_BACKLOG, String.valueOf(25));
      Attribute a5=new Attribute(ATTR_ALLOWED_CLIENT, "129.56.56.45");
      Attribute a6=new Attribute(ATTR_DENIED_CLIENT, "129.*.*.90");
      Attribute a7=new Attribute(ATTR_ALLOW_LDAPV2, "true");
      Attribute a8=new Attribute(ATTR_KEEP_LDAP_STATS, "true");
      Attribute a9=new Attribute(ATTR_SEND_REJECTION_NOTICE, "false");
      Attribute a10=new Attribute(ATTR_USE_TCP_KEEPALIVE, "false");
      Attribute a11=new Attribute(ATTR_USE_TCP_NODELAY, "false");
      Attribute a12=new Attribute(ATTR_ALLOW_REUSE_ADDRESS, "false");
      Attribute a13=new Attribute(ATTR_MAX_REQUEST_SIZE, "45 kb");
      Attribute a14=new Attribute(ATTR_USE_SSL, "false");
      Attribute a15=new Attribute(ATTR_ALLOW_STARTTLS, "true");
      //Add them
      GoodHandlerEntry.addAttribute(a2, null);
//    GoodHandlerEntry.addAttribute(a3, null);
      GoodHandlerEntry.addAttribute(a4, null);
      GoodHandlerEntry.addAttribute(a5, null);
      GoodHandlerEntry.addAttribute(a6, null);
      GoodHandlerEntry.addAttribute(a7, null);
      GoodHandlerEntry.addAttribute(a8, null);
      GoodHandlerEntry.addAttribute(a9, null);
      GoodHandlerEntry.addAttribute(a10, null);
      GoodHandlerEntry.addAttribute(a11, null);
      GoodHandlerEntry.addAttribute(a12, null);
      GoodHandlerEntry.addAttribute(a13, null);
      GoodHandlerEntry.addAttribute(a14, null);
      GoodHandlerEntry.addAttribute(a15, null);
      LinkedList<String> reasons = new LinkedList<String>();
    LdapTestCase.getConfiguration(BadHandlerEntry);
  }

  /**
   * Create handler and then change most of its values and see if
   * it is acceptable and applied.
   * @throws Exception if handler cannot be instantiated.
   */
  @Test()
  public void testGoodLDAPConnectionHandlerConfiguration() throws Exception
  {
    Entry GoodHandlerEntry=TestCaseUtils.makeEntry(
        "dn: cn=LDAP Connection Handler,cn=Connection Handlers,cn=config",
        "objectClass: top",
        "objectClass: ds-cfg-connection-handler",
        "objectClass: ds-cfg-ldap-connection-handler",
        "cn: LDAP Connection Handler",
        "ds-cfg-connection-handler-class: org.opends.server.protocols.ldap.LDAPConnectionHandler",
        "ds-cfg-connection-handler-enabled: true",
        "ds-cfg-listen-address: 0.0.0.0",
        "ds-cfg-accept-backlog: 128",
        "ds-cfg-allow-ldapv2: false",
        "ds-cfg-keep-stats: false",
        "ds-cfg-use-tcp-keepalive: true",
        "ds-cfg-use-tcp-nodelay: true",
        "ds-cfg-allow-tcp-reuse-address: true",
        "ds-cfg-send-rejection-notice: true",
        "ds-cfg-max-request-size: 5 megabytes",
        "ds-cfg-num-request-handlers: 2",
        "ds-cfg-allow-start-tls: false",
        "ds-cfg-use-ssl: true",
        "ds-cfg-ssl-client-auth-policy: optional",
        "ds-cfg-ssl-cert-nickname: server-cert",
        "ds-cfg-key-manager-provider-dn: cn=JKS,cn=Key Manager Providers,cn=config",
        "ds-cfg-trust-manager-provider-dn: cn=JKS,cn=Trust Manager Providers,cn=config");
    LDAPConnectionHandler LDAPConnHandler=getLDAPHandlerInstance(GoodHandlerEntry);
    //Make attrTypes to remove
    AttributeType at0=DirectoryServer.getAttributeType(ATTR_LISTEN_PORT, true);
//    AttributeType at1=DirectoryServer.getAttributeType(ATTR_LISTEN_ADDRESS, true);
//    Attribute rAttr1=new Attribute(at1);
//    GoodHandlerEntry.removeAttribute(rAttr1, null);
    AttributeType at2=DirectoryServer.getAttributeType(ATTR_ALLOW_LDAPV2, true);
    AttributeType at3=DirectoryServer.getAttributeType(ATTR_ALLOW_LDAPV2, true);
    AttributeType at4=DirectoryServer.getAttributeType(ATTR_KEEP_LDAP_STATS, true);
    AttributeType at5=DirectoryServer.getAttributeType(ATTR_SEND_REJECTION_NOTICE,true);
    AttributeType at6=DirectoryServer.getAttributeType(ATTR_USE_TCP_KEEPALIVE,true);
    AttributeType at7=DirectoryServer.getAttributeType(ATTR_USE_TCP_NODELAY,true);
    AttributeType at8=DirectoryServer.getAttributeType(ATTR_ALLOW_REUSE_ADDRESS,true);
    AttributeType at9=DirectoryServer.getAttributeType(ATTR_USE_SSL,true);
    AttributeType at10=DirectoryServer.getAttributeType(ATTR_ALLOW_STARTTLS,true);
    AttributeType at11=DirectoryServer.getAttributeType(ATTR_MAX_REQUEST_SIZE,true);
    AttributeType at12=DirectoryServer.getAttributeType(ATTR_ACCEPT_BACKLOG,true);
    //Remove them
    Attribute rAttr0=new Attribute(at0);
    GoodHandlerEntry.removeAttribute(rAttr0, null);

    Attribute rAttr2=new Attribute(at2);
    GoodHandlerEntry.removeAttribute(rAttr2, null);
    Attribute rAttr3=new Attribute(at3);
    GoodHandlerEntry.removeAttribute(rAttr3, null);
    Attribute rAttr4=new Attribute(at4);
    GoodHandlerEntry.removeAttribute(rAttr4, null);
    Attribute rAttr5=new Attribute(at5);
    GoodHandlerEntry.removeAttribute(rAttr5, null);
    Attribute rAttr6=new Attribute(at6);
    GoodHandlerEntry.removeAttribute(rAttr6, null);
    Attribute rAttr7=new Attribute(at7);
    GoodHandlerEntry.removeAttribute(rAttr7, null);
    Attribute rAttr8=new Attribute(at8);
    Attribute rAttr9=new Attribute(at9);
    Attribute rAttr10=new Attribute(at10);
    Attribute rAttr11=new Attribute(at11);
    Attribute rAttr12=new Attribute(at12);
    GoodHandlerEntry.removeAttribute(rAttr8, null);
    GoodHandlerEntry.removeAttribute(rAttr9, null);
    GoodHandlerEntry.removeAttribute(rAttr10, null);
    GoodHandlerEntry.removeAttribute(rAttr11, null);
    GoodHandlerEntry.removeAttribute(rAttr12, null);
    //Make new AttrTypes with different values
    long newPort=getFreePort();
    Attribute a2=new Attribute(ATTR_LISTEN_PORT, String.valueOf(newPort));
    //uncomment if want to test listen address
//    Attribute a3=new Attribute(ATTR_LISTEN_ADDRESS, "localhost");
    Attribute a4=new Attribute(ATTR_ACCEPT_BACKLOG, String.valueOf(25));
    Attribute a5=new Attribute(ATTR_ALLOWED_CLIENT, "129.56.56.45");
    Attribute a6=new Attribute(ATTR_DENIED_CLIENT, "129.*.*.90");
    Attribute a7=new Attribute(ATTR_ALLOW_LDAPV2, "true");
    Attribute a8=new Attribute(ATTR_KEEP_LDAP_STATS, "true");
    Attribute a9=new Attribute(ATTR_SEND_REJECTION_NOTICE, "false");
    Attribute a10=new Attribute(ATTR_USE_TCP_KEEPALIVE, "false");
    Attribute a11=new Attribute(ATTR_USE_TCP_NODELAY, "false");
    Attribute a12=new Attribute(ATTR_ALLOW_REUSE_ADDRESS, "false");
    Attribute a13=new Attribute(ATTR_MAX_REQUEST_SIZE, "45 kb");
    Attribute a14=new Attribute(ATTR_USE_SSL, "false");
    Attribute a15=new Attribute(ATTR_ALLOW_STARTTLS, "true");
    //Add them
    GoodHandlerEntry.addAttribute(a2, null);
//    GoodHandlerEntry.addAttribute(a3, null);
    GoodHandlerEntry.addAttribute(a4, null);
    GoodHandlerEntry.addAttribute(a5, null);
    GoodHandlerEntry.addAttribute(a6, null);
    GoodHandlerEntry.addAttribute(a7, null);
    GoodHandlerEntry.addAttribute(a8, null);
    GoodHandlerEntry.addAttribute(a9, null);
    GoodHandlerEntry.addAttribute(a10, null);
    GoodHandlerEntry.addAttribute(a11, null);
    GoodHandlerEntry.addAttribute(a12, null);
    GoodHandlerEntry.addAttribute(a13, null);
    GoodHandlerEntry.addAttribute(a14, null);
    GoodHandlerEntry.addAttribute(a15, null);
    LinkedList<String> reasons = new LinkedList<String>();
    LDAPConnectionHandlerCfg config = LdapTestCase.getConfiguration(GoodHandlerEntry);
      //see if we're ok
      boolean ret=LDAPConnHandler.isConfigurationChangeAcceptable(config, reasons);
      assertTrue(ret);	
      //apply it
      LDAPConnHandler.applyConfigurationChange(config);
      LDAPConnHandler.finalizeConnectionHandler(reasonMsg, true);
    //see if we're ok
    boolean ret=LDAPConnHandler.isConfigurationChangeAcceptable(config, reasons);
    assertTrue(ret);
    //apply it
    LDAPConnHandler.applyConfigurationChange(config);
    LDAPConnHandler.finalizeConnectionHandler(reasonMsg, true);

   }
  }
}

			@@ -4359,6 +4359,28 @@


			/**
			* The message ID for the message that will be used if either SSL or StartTLS
			* support is enabled but no key manager provider is configured for the
			* connection handler. This takes a single argument, which is the DN of the
			* connection handler configuration entry.
			*/
			public static final int MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN =
			CATEGORY_MASK_PROTOCOL \| SEVERITY_MASK_SEVERE_ERROR \| 402;



			/**
			* The message ID for the message that will be used if either SSL or StartTLS
			* support is enabled but no trust manager provider is configured for the
			* connection handler. This takes a single argument, which is the DN of the
			* connection handler configuration entry.
			*/
			public static final int MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN =
			CATEGORY_MASK_PROTOCOL \| SEVERITY_MASK_SEVERE_ERROR \| 403;



			/**
			* Associates a set of generic messages with the message IDs defined in this
			* class.
			*/
			@@ -5523,6 +5545,16 @@
			"operation. These options may not be used at the same " +
			"time, so clients will not be allowed to use the " +
			"StartTLS operation.");
			registerMessage(MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN,
			"The LDAP connection handler defined in configuration " +
			"entry %s is configured to use either SSL or StartTLS, " +
			"but does not specify which key manager provider should " +
			"be used.");
			registerMessage(MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN,
			"The LDAP connection handler defined in configuration " +
			"entry %s is configured to use either SSL or StartTLS, " +
			"but does not specify which trust manager provider " +
			"should be used.");
			registerMessage(MSGID_LDAP_CONNHANDLER_CANNOT_DETERMINE_ALLOW_STARTTLS,
			"An unexpected error occurred while processing the " +
			ATTR_ALLOW_STARTTLS + " attribute in configuration entry " +

			@@ -577,31 +577,42 @@
			ErrorLogSeverity.SEVERE_WARNING, message, msgID);
			}

			// Validate the key manager provider DN.
			DN keyManagerProviderDN = config.getKeyManagerProviderDN();
			if (keyManagerProviderDN != null) {
			KeyManagerProvider provider = DirectoryServer
			.getKeyManagerProvider(keyManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
			String message = getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(keyManagerProviderDN));
			if (config.isAllowStartTLS() \|\| config.isUseSSL())
			{
			// Validate the key manager provider DN.
			DN keyManagerProviderDN = config.getKeyManagerProviderDN();
			if (keyManagerProviderDN == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN;
			String message = getMessage(msgID, String.valueOf(config.dn()));
			throw new ConfigException(msgID, message);
			} else {
			KeyManagerProvider provider = DirectoryServer
			.getKeyManagerProvider(keyManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
			String message = getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(keyManagerProviderDN));
			throw new ConfigException(msgID, message);
			}
			}
			}

			// Validate the trust manager provider DN.
			DN trustManagerProviderDN = config.getTrustManagerProviderDN();
			if (trustManagerProviderDN != null) {
			TrustManagerProvider provider = DirectoryServer
			.getTrustManagerProvider(trustManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
			String message = getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(trustManagerProviderDN));
			// Validate the trust manager provider DN.
			DN trustManagerProviderDN = config.getTrustManagerProviderDN();
			if (trustManagerProviderDN == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN;
			String message = getMessage(msgID, String.valueOf(config.dn()));
			throw new ConfigException(msgID, message);
			} else {
			TrustManagerProvider provider = DirectoryServer
			.getTrustManagerProvider(trustManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
			String message = getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(trustManagerProviderDN));
			throw new ConfigException(msgID, message);
			}
			}
			}

			@@ -739,31 +750,44 @@
			isAcceptable = false;
			}

			// Validate the key manager provider DN.
			DN keyManagerProviderDN = config.getKeyManagerProviderDN();
			if (keyManagerProviderDN != null) {
			KeyManagerProvider provider = DirectoryServer
			.getKeyManagerProvider(keyManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
			unacceptableReasons.add(getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(keyManagerProviderDN)));
			if (config.isAllowStartTLS() \|\| config.isUseSSL())
			{
			// Validate the key manager provider DN.
			DN keyManagerProviderDN = config.getKeyManagerProviderDN();
			if (keyManagerProviderDN == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN;
			String message = getMessage(msgID, String.valueOf(config.dn()));
			unacceptableReasons.add(message);
			isAcceptable = false;
			} else {
			KeyManagerProvider provider = DirectoryServer
			.getKeyManagerProvider(keyManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_KEYMANAGER_DN;
			unacceptableReasons.add(getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(keyManagerProviderDN)));
			isAcceptable = false;
			}
			}
			}

			// Validate the trust manager provider DN.
			DN trustManagerProviderDN = config.getTrustManagerProviderDN();
			if (trustManagerProviderDN != null) {
			TrustManagerProvider provider = DirectoryServer
			.getTrustManagerProvider(trustManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
			unacceptableReasons.add(getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(trustManagerProviderDN)));
			// Validate the trust manager provider DN.
			DN trustManagerProviderDN = config.getTrustManagerProviderDN();
			if (trustManagerProviderDN == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN;
			String message = getMessage(msgID, String.valueOf(config.dn()));
			unacceptableReasons.add(message);
			isAcceptable = false;
			} else {
			TrustManagerProvider provider = DirectoryServer
			.getTrustManagerProvider(trustManagerProviderDN);
			if (provider == null) {
			int msgID = MSGID_LDAP_CONNHANDLER_INVALID_TRUSTMANAGER_DN;
			unacceptableReasons.add(getMessage(msgID, String
			.valueOf(config.dn()), String
			.valueOf(trustManagerProviderDN)));
			isAcceptable = false;
			}
			}
			}