Return-Path: 
 <dev-return-48209-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-dev-archive@www.apache.org
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F29C0173DF
	for <apmail-directory-dev-archive@www.apache.org>;
 Fri, 13 Mar 2015 12:30:33 +0000 (UTC)
Received: (qmail 57168 invoked by uid 500); 13 Mar 2015 12:30:11 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 57111 invoked by uid 500); 13 Mar 2015 12:30:11 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 57101 invoked by uid 99); 13 Mar 2015 12:30:11 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Mar 2015 12:30:11 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of mboorshtein@gmail.com
 designates 209.85.218.47 as permitted sender)
Received: from [209.85.218.47] (HELO mail-oi0-f47.google.com) (209.85.218.47)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Mar 2015 12:30:05 +0000
Received: by oiba3 with SMTP id a3so9506517oib.1
        for <dev@directory.apache.org>; Fri, 13 Mar 2015 05:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=f5czh4+aWXIy1+nU7QgT/3JVit0NYwomIzhMXnJt9p0=;
        b=u3UdS1xMYQZWQM637XA4myGP2HNUstQzGW3iJr+8qIVOrUZQ6voXbngPO/wc6uE3mw
         LikTcLq31KWSMqfJOPnm+i6w6fXaC8SUojfmpqzmDwsRniTModH0bvvgYJbZzjgBeDNO
         kgZqSGj7Hh0Vt/UZgGLk5JHGdENBKdtuDrnHhVAagcP8a3cqGnuyrbbewAo6gchUckgx
         qwH1zBV+p06i79mmBOaKEbEkGv7aAsW1zuEPGbuux8YwyQe5FgVMMPa8XjeGoQpHWkzL
         f585evPNq5rK+wLx1IXMH+EBDqgohsotOPMXrA2+xmnA7F4Fd22hugoKv3U7F5wqJrF3
         g8pw==
MIME-Version: 1.0
X-Received: by 10.202.225.130 with SMTP id y124mr35476818oig.58.1426249695343;
 Fri, 13 Mar 2015 05:28:15 -0700 (PDT)
Received: by 10.202.65.193 with HTTP; Fri, 13 Mar 2015 05:28:15 -0700 (PDT)
In-Reply-To: 
 <CABzFU-cyeMGy_qi3pzpQaz9pGOD9onu3UwjyPK2rdUD981SFKw@mail.gmail.com>
References: 
 <CAJEX5ot5ORMv2KndxGAtN58krpKZmyey8F3fVHjfyxAc7XSucQ@mail.gmail.com>
	<CABzFU-cX2+_55qYNzMFEPnTDx07tpb3HNbjoJ+tOsLbhNEDKiw@mail.gmail.com>
	<CAJEX5ovY3PaCionh-3JmKNvMiVJzjmt2G3mkFL66PW8_MXH9tg@mail.gmail.com>
	<CABzFU-eEkFBf-aQogaWfqNjA8==CO04XHAdS9U+XE4VAeAgbpw@mail.gmail.com>
	<CAJEX5ouZOSXw7609=5B0EuN1X7n-02taD_vPBWuaPk9mQ6NfZg@mail.gmail.com>
	<CABzFU-f7N3t7nifha8mCQkHWYGDgMNnzj9_YyANtg60Ng1jr3g@mail.gmail.com>
	<CAJEX5ou1628p2k6Vxh6Wi114a80dZWiFbBfYkWBT6LuH=JDe9w@mail.gmail.com>
	<CABzFU-cyeMGy_qi3pzpQaz9pGOD9onu3UwjyPK2rdUD981SFKw@mail.gmail.com>
Date: Fri, 13 Mar 2015 08:28:15 -0400
Message-ID: 
 <CAJEX5osVZCaUYKaKgKG8VME5gSon_52_Wtfoe7YHLoxuhB7_PQ@mail.gmail.com>
Subject: Re: Where can I get the client certificate?
From: Marc Boorshtein <mboorshtein@gmail.com>
To: Apache Directory Developers List <dev@directory.apache.org>
Content-Type: multipart/alternative; boundary=001a113d610473bd3405112aa2e5
X-Virus-Checked: Checked by ClamAV on apache.org

--001a113d610473bd3405112aa2e5
Content-Type: text/plain; charset=UTF-8

>> Well thats untrue.  The certificate can be used for user mapping,
>> authorization, etc.  This is VERY common in the HTTP world.  In a servlet
>> you can get the certificate, DN, etc from the request object.
>>
>> not the case in LDAP, AFAIK
>

OK well if it wasn't the case I wouldn't have folks asking for it :-)


> That being said, I have extended the server (
>> http://sourceforge.net/p/myvd/code/HEAD/tree/trunk/MyVD/src/main/java/org/apache/directory/server/ldap/LdapServer.java)
>> mainly so I can do custom SSL implementations so I can easily create a
>> custom trust manager.  The question becomes how can I associate the cert I
>> get from the trust manager to an LDAP session?  Neither the trust manager
>> nor the keystore actually has that context.
>>
>> likewise you need to extend the LdapSession class as well and inject the
> cert after authentication,
> but to get the actual certificate to inject you need support from MINA.
>
> Modifying the SslFilter should be the right place to pin certificate as a
> property in IoSession instance
>

Thats a great starting point.  Thanks

--001a113d610473bd3405112aa2e5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-lef=
t:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_ext=
ra"><div class=3D"gmail_quote"><span class=3D""><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra"><div cla=
ss=3D"gmail_quote"><span><div><br></div></span><div>Well thats untrue.=C2=
=A0 The certificate can be used for user mapping, authorization, etc.=C2=A0=
 This is VERY common in the HTTP world.=C2=A0 In a servlet you can get the =
certificate, DN, etc from the request object. =C2=A0</div><div><br></div></=
div></div></div></blockquote></span><div>not the case in LDAP, AFAIK <br></=
div></div></div></div></blockquote><div><br></div><div>OK well if it wasn&#=
39;t the case I wouldn&#39;t have folks asking for it :-) =C2=A0</div><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"g=
mail_extra"><div class=3D"gmail_quote"><div></div><span class=3D""><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px=
 solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gm=
ail_extra"><div class=3D"gmail_quote"><div></div><div>That being said, I ha=
ve extended the server (<a href=3D"http://sourceforge.net/p/myvd/code/HEAD/=
tree/trunk/MyVD/src/main/java/org/apache/directory/server/ldap/LdapServer.j=
ava" target=3D"_blank">http://sourceforge.net/p/myvd/code/HEAD/tree/trunk/M=
yVD/src/main/java/org/apache/directory/server/ldap/LdapServer.java</a>) mai=
nly so I can do custom SSL implementations so I can easily create a custom =
trust manager.=C2=A0 The question becomes how can I associate the cert I ge=
t from the trust manager to an LDAP session?=C2=A0 Neither the trust manage=
r nor the keystore actually has that context.</div><div><br></div></div></d=
iv></div></blockquote></span><div>likewise you need to extend the LdapSessi=
on class as well and inject the cert after authentication,<br></div><div>bu=
t to get the actual certificate to inject you need support from MINA.<br><b=
r></div><div>Modifying the SslFilter should be the right place to pin certi=
ficate as a property in IoSession instance<br></div></div></div></div></blo=
ckquote><div><br></div><div>Thats a great starting point.=C2=A0 Thanks</div=
><div>=C2=A0</div></div></div></div>

--001a113d610473bd3405112aa2e5--