Hi Peter, I applied your patch for LDAP User authentication and succeeded and then further did it with TLS. Thanks for your reply.
Now i am concerned about the powerful feature"MULTIPLE and HIERARCHICAL CA's under a main PKI Realm root CA". In the current version of OpenXPKI , i have a single CA. Now i am interested in creating CA chains containing more CA's below it. How to enable this functionality ? Best Regards Scott Thomas ________________________________ From: "[email protected]" <[email protected]> To: [email protected] Sent: Thu, November 26, 2009 1:04:00 PM Subject: Re: [OpenXPKI-users] openxpki ldap integration problem Hi, Scotty >> Now i am concerned in authenticating OpenXPKI with LDAP over TLS/SSL. >> How can i enable it and what changes will be required ? Replace <use_tls>false</use_tls> <capath>no</capath> in auth.xml with <use_tls>true_tls</use_tls> <capath>PUT_HERE_YOUR_PATH_TO_CA_CERTIFICATES</capath> 'capath' parameter will be used in Net::LDAP start_tls method as described in Net::LDAP manual. You need to prepaire certificates and store them in files having some special names (hashes). The other approach is using ssl: install Net::LDAPS perl module and set use_tls parameter to 'true_ssl': <use_tls>true_ssl</use_tls> <capath>PUT_HERE_YOUR_PATH_TO_CA_CERTIFICATES</capath> In this case you should also check that you specify the proper port number in auth.xml for SSL connection (usually it is 636 instead of 389). In both cases your ldap server and client must be configured properly to be able to support TLS/SSL connections. Takes time... Actually I have rather poor experience on the point. I have just refactored the module written by Michael Bell and wrote some tests for it. Beware security holes. LDAP can easily skip TLS in the case of some trouble and switch itself to usual bind. Proper LDAP configuration is a really BIG thing here. Best Regards, Peter
------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
