Hello, Plone is just straight forward in this area. It use the system settings for LDAP on CA support.
On normal Unix/Linux Systems you have a /etc/ldap directory where you could place a CA.pem and register it in ldap.conf, the lines should be like: TLS_CACERT /etc/ldap/CA.pem or TLS_REQCERT never If you use buildout with openldap and python-ldap build in buildout than the path to the configuration directory is /path/to/buildout/parts/openldap/etc/openldap I use a buildout part like this for it: > [openldap] > recipe = zc.recipe.cmmi > url = > ftp://gd.tuwien.ac.at/infosys/network/OpenLDAP/openldap-stable/openldap-stable-20071118.tgz > extra_options = --with-sasl --with-tls --enable-slapd=no > > [python-ldap] > recipe = zc.recipe.egg:custom > egg = python-ldap > include-dirs = > ${openldap:location}/include > library-dirs = > ${openldap:location}/lib > rpath = > ${openldap:location}/lib > > > [ldap-settings] > recipe = plone.recipe.command > command = > rm -f ${openldap:location}/etc/openldap/ldap.conf > rm -f ${openldap:location}/etc/openldap/CA.pem > wget -q ${config:CA-url} -O > ${openldap:location}/etc/openldap/CA.pem > update-command = ${ldap-settings:command} > > [ldap-conf-settings] > recipe = collective.recipe.template > input = ${buildout:directory}/templates/ldap.conf > output = ${openldap:location}/etc/openldap/ldap.conf > > Greetings Pumukel Alberto Lopes wrote: > > Dear friends, > > I am trying to set up an LDAP configuration for Plone, using the PloneLDAP > product. > > I need to connect to an LDAP over SSL port, but to do that, I need Plone > to validate the server certificate. > > I was not able to find out where to configure Plone to know which is the > CA certificate to validate the server certificate; however, a guy in the > python-ldap list gave me a hint to do a > "ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')" > command to set a "global" CA Cert file. > > I put that as the last command in site-packages/ldap/__init__.py file > (stripping the "ldap." prefixes), and Plone was able to connect to the > LDAP server (I was able to search users, etc.) > > My question is: is there a better or cleaner way or place to configure > such a thing? Messing with the source code for a python library seem a > little wrong to me... > > Regards, > > Alberto > -- View this message in context: http://n2.nabble.com/LDAP-User-Folder-Certificate-Configuration-tp2123979p2126711.html Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com. _______________________________________________ Setup mailing list [email protected] http://lists.plone.org/mailman/listinfo/setup
