[xwiki-notifications] [Issue] Reopened: (XWIKI-865) add support for LDAP over SSL (ldaps)

Tue, 19 Feb 2008 02:08:04 -0800 

     [ 
http://jira.xwiki.org/jira/browse/XWIKI-865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Mortagne reopened XWIKI-865:
-----------------------------------


> add support for LDAP over SSL (ldaps)
> -------------------------------------
>
>                 Key: XWIKI-865
>                 URL: http://jira.xwiki.org/jira/browse/XWIKI-865
>             Project: XWiki Core
>          Issue Type: Improvement
>          Components: Plugin - Other
>    Affects Versions: 1.1 M3
>            Reporter: Philippe Marzouk
>         Assigned To: Thomas Mortagne
>            Priority: Minor
>         Attachments: xwiki-ldap-ssl.patch
>
>
> This patch adds support for SSL connections to the ldap  server. To activate 
> the SSL layer, I added a new configuration parameter  in xwiki.cfg 
> (xwiki.authentication.ldap.ssl) which has to be set to 1.  Of course the ldap 
> port has to be changed too (to 636).                         
>                                                                               
>   
> In order for the SSL connection to be established, the CA certificate  which 
> delivered the SSL certificate of the ldap server must be added to the trust 
> store of the JSSE extension.
>                                                                               
>   
> >From the Sun JSSE documentation:                                             
> >  
> The search order for the locating the trust store is:
>     1) <java-home>/lib/security/jssecacerts, then                             
>   
>     2) <java-home>/lib/security/cacerts                                       
>   
> If the file jssecacerts exists, then cacerts is not consulted.
> So in order to make it work you have to create a trust store named 
> jssecacerts with the following command and place it in the suitable directory 
> of the JRE or JDK used by your container:
> keytool -import -trustcacerts -alias ca -file cacert.crt -keystore 
> jssecacerts  
> (answer yes when asked if you want to trust the certificate)
> I read on the web the default password for cacerts is 'changeit' so I used 
> that, I didn't try yet with another password for the trust store.
> I believe if the SSL certificate of the ldap server is self signed you need 
> to import it instead of the CA but I did not try.
> The patch makes use of com.sun.net.ssl.internal.ssl.Provider as the hard 
> coded security provider, it should maybe be put as a parameter for people not 
> running Sun JVMs.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
notifications mailing list
notifications@xwiki.org
http://lists.xwiki.org/mailman/listinfo/notifications

Reply via email to