directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beat Burgener | NetSuccess GmbH <beat.burge...@netsuccess.ch>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 14:26:12 GMT
Stefan,

thank you for pointing this out.

BTW: I just found out that I still have 1.5.4   ;-(

BTW2: I personally do not suggest storing the certificate data within 
the LDAP directory itself, although there are fields available.
If you have a certificate used for "ssl.xyz.com", used for web, ldap and 
so on, compromising the LDAP account or
ApacheDS through LDAP protocol might reveal the private key - or am I 
wrong on this?
I know that more and more directories start storing PKI data within the 
storage engine (Microsoft ADS does this too),
but somehow I don't feel comfortable with this ...

BTW3: Is there a way to force StartTLS an LDAP connection using port 389 
via the ApacheDS configuration?
That's why I use LDAPS, which does not support plain text connections 
AFAIK. For LDAP, I don't feel in the position to control that
as the client use StartTLS or not ...

Thank you and sorry for consufing on the versions of ApacheDS ...

Beat

On 06.01.2010 13:28 PM, Stefan Seelmann wrote:
> Hi Matthias,
>
> Matthias Cramer wrote:
>>
>> As it looks like, the starttls extension does not honor the keystore
>> configured in the ldapServer config.
>
> Yes, you are right. I just checked the source code and the configured 
> keystore in server.xml isn't used for StartTLS extended operation :-/
>
> You could find the certificate and key that is use in the Admin Entry 
> (uid=admin,ou=system):
>
> dn: uid=admin,ou=system
> keyAlgorithm: RSA
> privateKey:: ...
> privateKeyFormat: PKCS#8
> publicKey:: ...
> publicKeyFormat: X.509
> userCertificate:: ...
> ...
>
> What you need to do is to extract the private key, public key and 
> certificate from your keystore and replace the attributes privateKey, 
> publicKey and userCertificate with those guys. You could use Portacle 
> and OpenSSL to extract those information. If you need further help 
> don't hesitate to ask.
>
> Not very user friendly right now...
>
> Kind Regards,
> Stefan
>
>

Mime
View raw message