directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Where can I get the client certificate?
Date Fri, 13 Mar 2015 12:25:22 GMT
On Fri, Mar 13, 2015 at 7:55 PM, Marc Boorshtein <mboorshtein@gmail.com>
wrote:

>
>> here you have access to the certificate and this is the only place where
>> you have a chance to see it,
>> and if you want to store it for any other purpose then you need to extend
>> server, cause certs are useless
>> after establishing a secure channel.
>>
>>>
>>>
> Well thats untrue.  The certificate can be used for user mapping,
> authorization, etc.  This is VERY common in the HTTP world.  In a servlet
> you can get the certificate, DN, etc from the request object.
>
> not the case in LDAP, AFAIK

> That being said, I have extended the server (
> http://sourceforge.net/p/myvd/code/HEAD/tree/trunk/MyVD/src/main/java/org/apache/directory/server/ldap/LdapServer.java)
> mainly so I can do custom SSL implementations so I can easily create a
> custom trust manager.  The question becomes how can I associate the cert I
> get from the trust manager to an LDAP session?  Neither the trust manager
> nor the keystore actually has that context.
>
> likewise you need to extend the LdapSession class as well and inject the
cert after authentication,
but to get the actual certificate to inject you need support from MINA.

Modifying the SslFilter should be the right place to pin certificate as a
property in IoSession instance

> Thanks
> Marc
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message