[FIXED JENKINS-8132] Fixed a bug in TLS upgrade. Setting the socket f…

…actory kills the connection and the next time it tries to connect the client will attempt LDAPS. The server, expecting an LDAP (without S) connection, resets the connection, which results in "connection reset" error. All in all, it wasn't working as TLS. The correct way to specify the SSLSocketFactory is apparently to pass it to the negotiate method.
jenkinsci · Nov 4, 2011 · a0a130e · a0a130e
1 parent eb436bd
commit a0a130e
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java b/src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
@@ -36,6 +36,7 @@
 import javax.naming.ldap.LdapContext;
 import javax.naming.ldap.StartTlsRequest;
 import javax.naming.ldap.StartTlsResponse;
+import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.ServletException;
 
 import org.acegisecurity.AuthenticationException;
@@ -347,18 +348,15 @@ private LdapContext bind(String principalName, String password, SocketInfo serve
             String ldapUrl = "ldap://" + server + '/';
             String oldName = Thread.currentThread().getName();
             Thread.currentThread().setName("Connecting to "+ldapUrl+" : "+oldName);
+            LOGGER.fine("Connecting to " + ldapUrl);
             try {
                 LdapContext context = (LdapContext)LdapCtxFactory.getLdapCtxInstance(ldapUrl, props);
 
                 // try to upgrade to TLS if we can, but failing to do so isn't fatal
                 // see http://download.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html
                 try {
-                    // specifying custom socket factory requires that a caller to set the correct
-                    // context classloader so that this name resolves to the class instance.
-                    context.addToEnvironment("java.naming.ldap.factory.socket", TrustAllSocketFactory.class.getName());
-
                     StartTlsResponse rsp = (StartTlsResponse)context.extendedOperation(new StartTlsRequest());
-                    rsp.negotiate();
+                    rsp.negotiate((SSLSocketFactory)TrustAllSocketFactory.getDefault());
                     LOGGER.fine("Connection upgraded to TLS");
                 } catch (NamingException e) {
                     LOGGER.log(Level.FINE, "Failed to start TLS. Authentication will be done via plain-text LDAP", e);