Brad Nicholes wrote:
My feeling is that about the best we could do is to allow the LDAPTrustedCA and LDAPTrustedCAType directives to be callable from within a virtualhost configurtion and keep a list of certificates that can then be passed to the LDAP libraries during the post_config. But this would really only make sense for OpenLDAP and Novell. Since Netscape requires a CERT7 database file, it wouldn't know how to handle multiple files and these directives are NOOPs for Microsoft. Then it might lead the administrator to believe that certain virtual hosts are using certain certificates when in fact that wouldn't be the case. All virtual hosts would use all specified certificates.
At the moment if you place LDAPTrustedCA directives inside virtual hosts, it silently ignores the options instead of throwing errors, which is also bad.
In theory there shouldn't be too much a a need for setting per virtualhost client certs, as it's Apache doing the connecting to LDAP, not the other way around. (I'm not sure whether saying "this solution is good enough for everybody" is the right thing either, just wondering what is practical.)
Regards, Graham --
