Friday, May 6, 2011

LDAP error in Tomcat - TLS confidentiality required

I'm trying to configure a Realm in Tomcat to access an LDAP server with TLS security. My basic Realm configuration looks like this:

    <Realm className="org.apache.catalina.realm.JNDIRealm" 
        userPattern="uid={0},ou=People,dc=nsdl,dc=org" />

I get an error like this:

SEVERE: Catalina.start: 
LifecycleException:  Exception opening directory server connection:  
    javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
    at org.apache.catalina.realm.JNDIRealm.start(
    at org.apache.catalina.core.ContainerBase.start(
    at org.apache.catalina.core.StandardHost.start(
    at org.apache.catalina.core.ContainerBase.start(
    at org.apache.catalina.core.StandardEngine.start(
    at org.apache.catalina.core.StandardService.start(
    at org.apache.catalina.core.StandardServer.start(
    at org.apache.catalina.startup.Catalina.start(
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.start(
    at org.apache.catalina.startup.Bootstrap.main(

I have tried a wide variety of fixes, without changing the problem or the error message. This includes:

  • changing the protocol in the connectionURL to "ldaps"
  • changing the port in the connectionURL to 636
  • adding protocol="TLS" tot he realm
  • moving the Realm declaration from conf/server.xml (under Host or Engine) to META-INF/context.xml in the webapp
  • adding ldap.jar to server/lib
  • changing from Tomcat 5.5 to Tomcat 6.0

Each of these produces the same error message (although the stack trace is different in some configurations).

Any ideas?

From stackoverflow
  • The answer is actually not related to the question as posted here. The problem was related to how the Realm was specified.

    The Realm was specified in a Context element contained in a file located inside the webapp at META-INF/context.xml

    What I didn't realize was that

    • Tomcat copies this file to conf/Catalina/localhost/{webapp}.xml,
    • If a newer version of the WAR file is given to Tomcat, it will not replace {webapp}.xml with the newer version

    So the reason that the same error message happened every time was because my initial copy of the Realm was bad, and my attempted fixes were not being considered.

    In fact, the Realm specification is correct as shown above. Once I cleared out the stubborn file, it worked fine.


Post a Comment