差異處
這裏顯示兩個版本的差異處。
Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
java:ldap:spring:ldapauthenticationprovider:secureconnection [2016/05/10 22:40] tony [StartTLS] |
java:ldap:spring:ldapauthenticationprovider:secureconnection [2023/06/25 09:48] (目前版本) |
||
---|---|---|---|
行 95: | 行 95: | ||
} | } | ||
</code> | </code> | ||
+ | 如果在連不到LDAP server的情況下,通常都要等待20秒。我們可以透過以下方式去調整連線與從Server讀取資料的timeout: | ||
+ | <code java> | ||
+ | Map<String,Object> baseEnv = new HashMap<>(); | ||
+ | baseEnv.put("com.sun.jndi.ldap.read.timeout", "1000"); | ||
+ | baseEnv.put("com.sun.jndi.ldap.connect.timeout", "1000"); | ||
+ | |||
+ | contextSource.setBaseEnvironmentProperties(baseEnv); | ||
+ | </code> | ||
+ | 如果出現TLS already started的錯誤,這可能是spring connection pool造成的,可以透過設定以下flag取消pool暫時解決;使用ldaps+StartTLS也會有一樣問題。 | ||
+ | <code java> | ||
+ | ldapContextSource.setCacheEnvironmentProperties(false); | ||
+ | ldapContextSource.setPooled(false); | ||
+ | </code> | ||
+ | ===== 最後 ===== | ||
+ | 除了以上內容外,還有些議題沒特別說明: | ||
+ | * **SSL + VerifyHostname**: Hostname驗證是為了抵禦中間人攻擊,因此SSL應也需要Hostname驗證。目前我已經有做法可以解決。 | ||
+ | * **Disable Connection Pool**: Connection Pool是為了減少重建連線的Effort,但目前Spring的StartTLS並無法正常使用。 | ||
+ | 這些議題有機會再研究與分享。 | ||
===== Reference ===== | ===== Reference ===== | ||
* [[https://www.fastmail.com/help/technical/ssltlsstarttls.html|SSL VS. TLS VS. STARTTLS]] | * [[https://www.fastmail.com/help/technical/ssltlsstarttls.html|SSL VS. TLS VS. STARTTLS]] | ||
行 104: | 行 122: | ||
* [[http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118738-configure-firesight-00.html|UI Design of Firesight system]] | * [[http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118738-configure-firesight-00.html|UI Design of Firesight system]] | ||
* [[http://www.derekseaman.com/2011/06/citrix-netscaler-active-directory.html|UI Design of Citrix-Netscaler]] | * [[http://www.derekseaman.com/2011/06/citrix-netscaler-active-directory.html|UI Design of Citrix-Netscaler]] | ||
+ | * [[http://www.openldap.org/faq/data/cache/1063.html|TLS already started - Connection Pool]] | ||
+ | * [[http://forum.spring.io/forum/spring-projects/data/ldap/19764-tls-and-setupauthenticatedenvironment|TLS already started - don't use ldaps]] | ||
===== ===== | ===== ===== | ||
---- | ---- | ||
\\ | \\ | ||
~~DISQUS~~ | ~~DISQUS~~ |