directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beat Burgener | NetSuccess GmbH <beat.burge...@netsuccess.ch>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 11:59:54 GMT
Matthias,

what tool do you use to connect to Apache DS? I use Apache Directory 
Studio, and AFAIR,
there was an error if the certificate does not match the FQDN.

However, connecting either using LDAPS on Port 636 or via StartTLS on 
port 389, I don't get an error.
I don't konw of a way to display the certificate details of a connection 
in the AD Studio though ...

Regards

Beat

On 06.01.2010 12:30 PM, Matthias Cramer wrote:
> Hi Beat
>
> I have it exactly that way. And ldaps works well. but starttls still
> uses the old cert.
>
> Ragrds
>
>    Matthias
>
> Beat Burgener | NetSuccess GmbH wrote:
>    
>> Matthias, no problem at all ...
>>
>> Please refer to this post of Stefan as I had the same issue earlier this
>> year:
>>
>>      
>>>        
>> -------------------------------------------------------------------------------------
>>
>>
>>      
>>>   Further, I would like to use our self-signed and later "trusted" SSL
>>>   certificate for
>>>   the SSL communication, but the web page doc and the current config are
>>>   different:
>>>
>>>    From the web page:
>>>
>>>    <ldapService id="ldapsService"
>>>                enabled="true"
>>>                tcpPort="10636"
>>>                enableLdaps="true"
>>>                nbTcpThreads="8"
>>>                keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks"
>>>                certificatePassword="secret">
>>>      <directoryService>#directoryService</directoryService>
>>>    </ldapService>
>>>
>>>
>>>     From what I see in our config:
>>>
>>>   <ldapServer id="ldapServer"
>>>              allowAnonymousAccess="false"
>>>              saslHost="ldap.netsuccess.ch"
>>>              saslPrincipal="ldap/ldap@netsuccess.ch"
>>>              searchBaseDn="ou=users,ou=system"
>>>              maxTimeLimit="15000"
>>>              maxSizeLimit="1000">
>>>      <transports>
>>>        <tcpTransport address="0.0.0.0" port="389" nbThreads="8"
>>>   backLog="50" enableSSL="false"/>
>>>        <tcpTransport address="0.0.0.0" port="636" enableSSL="true"/>
>>>      </transports>
>>>
>>>      <directoryService>#directoryService</directoryService>
>>>
>>>    </ldapServer>
>>>
>>>
>>>   This appears quiet different, as some of the attributes in the sample
>>>   config ended up in the<tcpTransport>
>>>   definition ... where should the keystore definition go?
>>>        
>> Yes. this has been changed from 1.5.4 to 1.5.5. The right place should
>> be the 'ldapServer element':
>>
>> <ldapServer id="ldapServer"
>>             keystoreFile="..."
>>             certificatePassword="secret"
>>             allowAnonymousAccess="false"
>>             saslHost="ldap.netsuccess.ch"
>>             saslPrincipal="ldap/ldap@netsuccess.ch"
>>             searchBaseDn="ou=users,ou=system"
>>             maxTimeLimit="15000"
>>             maxSizeLimit="1000">
>>
>>      
>>>   -------------------------------------------------------------------------------------
>>>
>>>        
>>
>>
>> Best regards
>>
>> Beat
>>
>>
>> On 06.01.2010 10:44 AM, Matthias Cramer wrote:
>>      
>>> Hi Beat
>>>
>>> I'm using 1.5.5
>>>
>>> Sorry for not mentioning it.
>>>
>>> Regards
>>>
>>>     Matthias
>>>
>>> Beat Burgener | NetSuccess GmbH wrote:
>>>
>>>        
>>>> Matthias
>>>>
>>>> Which version of Apache DS do you use?
>>>>
>>>> Beat
>>>>
>>>> On 06.01.2010 10:32 AM, Matthias Cramer wrote:
>>>>
>>>>          
>>>>> Hi
>>>>>
>>>>> I'm fairly new to Apache DS but managed to get all working what I like
>>>>> till now. I've generated an new SSL Cert and configured it into
>>>>> server.xml so that it works for normal SSL ldaps connections.
>>>>> But when I do starttl still the default certificate that came with the
>>>>> package get's used. How do I replace this one. I did not find anything
>>>>> on the website and google was of no help too.
>>>>>
>>>>> Any hint is appreciated.
>>>>>
>>>>> Regards
>>>>>
>>>>>      Matthias
>>>>>
>>>>>
>>>>>
>>>>>            
>>>
>>>        
>
>    

Mime
View raw message