directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: SSL on ADS 1.5-trunks + AUG doco for 1.0
Date Thu, 07 Jun 2007 23:09:51 GMT
Enrique Rodriguez a écrit :

> On 6/7/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
>
>> has someone tested SSL on trunks? While looking to configuration, I 
>> saw that
>> there is a new ldapsConfiguration bean in the server.xml file, but 
>> I'm afaid
>> that some ifnormations may be missing, like the ldapsCertificateFile.
>
>
> Both LDAP and LDAPS are supported by the same bean, LdapConfiguration.
> The reason that both LDAP and LDAPS share the same bean is that both
> can use SSL.  

If we focus on service, and not on protocol (if we consider SSL is a 
protocol), then we should have only one configuration for LDAP.

I have updated the doco here :
http://cwiki.apache.org/confluence/display/DIRxSRVx11/Configuration+Parameters+Reference
with some notes and questions, and I would greatly appreciate if you can 
improve what has been started here (I think that Christine started the 
page, then completed it with your help).

I'm not done with it yet, but I see this page as the best soltuion to 
exchange ideas.

> The only difference is that with LDAP the SSL filter is
> engaged only with StartTLS while with LDAPS, the SSL filter is engaged
> "full time."  Therefore, both protocol variants need the same config
> parameters so I made them use the same bean.  In order to engage SSL
> "full time," there is a boolean called 'enableLdaps', which is false
> by default.

I agree with the parameters : they will be shared. The only difference 
is how they will be activated. But I guess that if you enable SSL, then 
startTLS is disabled, if I don't get it wrong. It seems to me that this 
SSL and StartTLS are like a switch, which can be set off and on : when 
disabling SSL, then the user can enable StartTLS.
Or it may be a good idea to allow SSL and StartTLS to be active at the 
same time. wdyt ?

>
> I was prompted to do it this way because I have StartTLS working
> locally.  We have DIRSERVER-869 assigned to Alex to process grant
> paperwork.  If I get an ACK on committing StartTLS, I can do so pretty
> quickly.
>
> https://issues.apache.org/jira/browse/DIRSERVER-869

We need StartTLS, definitively. Now, I will say I'm a little bit 
relunctant to include it in the server, until we have a clean place. 
Hopefully, we are close. As the configuration has already moved a lot, I 
would be tempted to include StartTLS too.

Let's wait a few more days so that we have a clear idea of what are the 
impact on doco, and let's move on with StartTLS.

We need to decide if it is te be included in 1.5.1, but IMO, this will 
be the way to go.

I will go back yo you by the end of this week, but I expect that other 
peeps give their opinion (it's not all about me...)

Thanks,
Emmanuel

Mime
View raw message