2 Replies Latest reply on May 13, 2019 2:49 PM by Philippe Marschall

    Elytron LDAP Realm with StartTLS

    Philippe Marschall Master

      It is our understanding that the Elytron LDAP realm currently does not do StartTLS. Currently we use LDAPS to avoid sending passwords in plaintext over the wire. However we would prefer LDAP + StartTLS over LDAPS because Active Directory provides SRV records only for LDAP and not for LDAPS. Therefore the URL ldaps:///dc=example,dc=com only works for LDAP, not for LDAPS.

      We would be willing to work on a patch but we would need some guidance:

      • Should start-tls be a new attribute on dir-context?
      • Where would be a good point to perform the StartTLS request? org.wildfly.security.auth.realm.ldap.SimpleDirContextFactoryBuilder.SimpleDirContextFactory.createDirContext?
      • Should we close the SSLSession? If so where, in the CloseHandler?