Hi,
does anybody know the AllowOverride setting necessary for the
LDAPTrustedClientCert directive? The manual
(http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldaptrustedclientcert)
doesn't contain this information. Sorry to bother the list about this; I'm
currently not running an LDAP
On 1/28/07, Sascha Kersken [EMAIL PROTECTED] wrote:
Hi,
does anybody know the AllowOverride setting necessary for the
LDAPTrustedClientCert directive? The manual
(http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldaptrustedclientcert)
doesn't contain this information. Sorry to bother the list
above is required to get the LDAPTrustedClientCert stuff we
push onto the LDAP* to actually affect the openldap/openssl TLS
environment.
Attached here are patches against trunk for the httpd side. This
makes LDAPTrustedClientCert really act like a per-directory
configuration setting.
Linking
On 11/10/06, Graham Leggett [EMAIL PROTECTED] wrote:
On Fri, November 10, 2006 2:34 am, Eric Covener wrote:
I'll respin a patch that de-emphasizes works with openldap alpha and
focuses more on making the tls cert doc and code sane.
I'll take a look - thank you for looking at this. One thing
FWIW, openldap HEAD now has a fix that eliminates the need for the
ugly SSL_library_init() call I had in my illustrative patch.
Executive Summary:
per apache doc Novell doesn't use per-connection client certs
per apache doc WIN32 doesn't use per-connection client certs (unknown,
maybe windows
to work when linked against the 2.4.3 (alpha) openldap.
not ready for prime-time but for discussion purposes only (comments
below)
(when using older/current openldap I think httpd has to refuse
LDAPTrustedClientCert altogether and require users code
LDAPTrustedGlobalCert exclusively
On 10/24/06, Graham Leggett [EMAIL PROTECTED] wrote:
For example, if you are using OpenLDAP, you need to set you CA
certificates using LDAPTrustedGlobalCert, and set your client certificates
on a per connection basis inside a directory and/or virtual host container
using LDAPTrustedClientCert
if the LDAP* parameter is set (unset=global).
This manifests as a bad rc from ldap_set_option().
util_ldap doesn't hit this condition because it never calls anything
on a per-connection basis, despite documentation.
1) util_ldap ignores LDAPTrustedClientCert if it's in a vhost (loses
track of it)
2
LDAPTrustedClientCert if it's in a vhost (loses
track of it)
2) util_ldap treats LDAPTrustedClientCert as LDAPTrustedGlobalCert if
it's in the base server (consequence of how it's stashed away and
retrieved)
3) util_ldap doesn't accept LDAPTrustedClientCert in a directory container
Using
On Tue, October 31, 2006 1:25 am, Eric Covener wrote:
Looks like the openldap 2.4 series (alpha) can support this by
requesting a new openssl CTX
(ldap_set_option(...,APR_LDAP_OPT_X_TLS_NEWCTX,...) but I had to
explicitly call openssl's SSL_library_init(); before ldap_set_option
or it died
On Tue, October 24, 2006 5:40 am, Eric Covener wrote:
Is anyone familiar wth the state of LDAPTrustedClientCert directive in
trunk and 2.2.x?
util_ldap.c:254
Defined as RSRC_CONF, manual text and examples says directory/location
container
util_ldap.c:1635
When the directive is used
host and/or
directory.
Unless I'm confused LDAPTrustedClientCert isn't accepted in a
directory context, despite the manual entry.
When you add it to a vhost, it appears that it will be added (only )
to the global_certs array in the per-vhost module config -- but the
global_certs that are actually
Is anyone familiar wth the state of LDAPTrustedClientCert directive in
trunk and 2.2.x?
util_ldap.c:254
Defined as RSRC_CONF, manual text and examples says directory/location container
util_ldap.c:1635
When the directive is used it results in an entry that's added to the
same array
13 matches
Mail list logo