directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beat Burgener | NetSuccess GmbH <>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 14:26:12 GMT

thank you for pointing this out.

BTW: I just found out that I still have 1.5.4   ;-(

BTW2: I personally do not suggest storing the certificate data within 
the LDAP directory itself, although there are fields available.
If you have a certificate used for "", used for web, ldap and 
so on, compromising the LDAP account or
ApacheDS through LDAP protocol might reveal the private key - or am I 
wrong on this?
I know that more and more directories start storing PKI data within the 
storage engine (Microsoft ADS does this too),
but somehow I don't feel comfortable with this ...

BTW3: Is there a way to force StartTLS an LDAP connection using port 389 
via the ApacheDS configuration?
That's why I use LDAPS, which does not support plain text connections 
AFAIK. For LDAP, I don't feel in the position to control that
as the client use StartTLS or not ...

Thank you and sorry for consufing on the versions of ApacheDS ...


On 06.01.2010 13:28 PM, Stefan Seelmann wrote:
> Hi Matthias,
> Matthias Cramer wrote:
>> As it looks like, the starttls extension does not honor the keystore
>> configured in the ldapServer config.
> Yes, you are right. I just checked the source code and the configured 
> keystore in server.xml isn't used for StartTLS extended operation :-/
> You could find the certificate and key that is use in the Admin Entry 
> (uid=admin,ou=system):
> dn: uid=admin,ou=system
> keyAlgorithm: RSA
> privateKey:: ...
> privateKeyFormat: PKCS#8
> publicKey:: ...
> publicKeyFormat: X.509
> userCertificate:: ...
> ...
> What you need to do is to extract the private key, public key and 
> certificate from your keystore and replace the attributes privateKey, 
> publicKey and userCertificate with those guys. You could use Portacle 
> and OpenSSL to extract those information. If you need further help 
> don't hesitate to ask.
> Not very user friendly right now...
> Kind Regards,
> Stefan

View raw message