From 2b5790588e1de6415985a05167cdb15512cce290 Mon Sep 17 00:00:00 2001
From: pvarga88 <pvarga@opentext.com>
Date: Wed, 12 Feb 2020 16:20:55 +0000
Subject: [PATCH] Fix for OPENDJ-3445 (#96)
---
opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java | 10 ++++++++--
opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java | 11 ++++++++---
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java b/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java
index ecfc391..281fa0a 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java
@@ -3542,9 +3542,15 @@
case EXTENDED:
ExtendedOperationBasis extOp = (ExtendedOperationBasis) operation;
- String requestOID = extOp.getRequestOID();
- if (!OID_START_TLS_REQUEST.equals(requestOID))
+ String requestOID = extOp.getRequestOID();
+ if (!OID_START_TLS_REQUEST.equals(requestOID)
+ && !OID_GET_SYMMETRIC_KEY_EXTENDED_OP.equals(requestOID))
{
+ // Clients must be allowed to enable TLS before authenticating.
+
+ // Authentication is not required for the get symmetric key request as it depends on out of band trust
+ // negotiation. See OPENDJ-3445.
+
message = directoryServer.lockdownMode
? NOTE_REJECT_OPERATION_IN_LOCKDOWN_MODE.get()
: ERR_REJECT_UNAUTHENTICATED_OPERATION.get();
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java b/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java
index 18d6084..04f3347 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java
@@ -98,6 +98,7 @@
import org.opends.server.tools.LDAPConnectionOptions;
import org.opends.server.tools.LDAPReader;
import org.opends.server.tools.LDAPWriter;
+import org.opends.server.tools.SSLConnectionFactory;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.Attributes;
@@ -924,19 +925,23 @@
for (SearchResultEntry resultEntry : resultEntries)
{
String hostname = resultEntry.parseAttribute("hostname").asString();
- Integer ldapPort = resultEntry.parseAttribute("ldapport").asInteger();
+ Integer adminPort = resultEntry.parseAttribute("adminport").asInteger();
// Connect to the server.
AtomicInteger nextMessageID = new AtomicInteger(1);
+ SSLConnectionFactory sslCF = new SSLConnectionFactory();
+ sslCF.init(true, null, null, null, null, null);
LDAPConnectionOptions connectionOptions =
- new LDAPConnectionOptions();
+ new LDAPConnectionOptions();
+ connectionOptions.setUseSSL(true);
+ connectionOptions.setSSLConnectionFactory(sslCF);
PrintStream nullPrintStream =
new PrintStream(new OutputStream() {
@Override
public void write ( int b ) { }
});
LDAPConnection connection =
- new LDAPConnection(hostname, ldapPort,
+ new LDAPConnection(hostname, adminPort,
connectionOptions,
nullPrintStream,
nullPrintStream);
--
Gitblit v1.10.0