Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 72348 invoked from network); 6 Jan 2010 12:00:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 6 Jan 2010 12:00:26 -0000 Received: (qmail 79317 invoked by uid 500); 6 Jan 2010 12:00:26 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 79260 invoked by uid 500); 6 Jan 2010 12:00:26 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 79250 invoked by uid 99); 6 Jan 2010 12:00:25 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 12:00:25 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of beat.burgener@netsuccess.ch designates 195.141.102.20 as permitted sender) Received: from [195.141.102.20] (HELO fg02.dc1.netsuccess.ch) (195.141.102.20) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 12:00:16 +0000 Received: from [10.0.0.193] (251-41-60-212-static.cable.fcom.ch [212.60.41.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fg02.dc1.netsuccess.ch (Postfix) with ESMTP id 474C8F40019; Wed, 6 Jan 2010 12:59:54 +0100 (CET) Message-ID: <4B447B3A.7020802@netsuccess.ch> Date: Wed, 06 Jan 2010 12:59:54 +0100 From: Beat Burgener | NetSuccess GmbH Organization: NetSuccess GmbH User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: [ApacheDS] Ceritficate for StartTLS References: <4B4458A4.5090005@iway.ch> <4B4459BA.5060201@netsuccess.ch> <4B445B89.8050804@iway.ch> <4B446C28.2010901@netsuccess.ch> <4B44743B.1070105@iway.ch> In-Reply-To: <4B44743B.1070105@iway.ch> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Matthias, what tool do you use to connect to Apache DS? I use Apache Directory Studio, and AFAIR, there was an error if the certificate does not match the FQDN. However, connecting either using LDAPS on Port 636 or via StartTLS on port 389, I don't get an error. I don't konw of a way to display the certificate details of a connection in the AD Studio though ... Regards Beat On 06.01.2010 12:30 PM, Matthias Cramer wrote: > Hi Beat > > I have it exactly that way. And ldaps works well. but starttls still > uses the old cert. > > Ragrds > > Matthias > > Beat Burgener | NetSuccess GmbH wrote: > >> Matthias, no problem at all ... >> >> Please refer to this post of Stefan as I had the same issue earlier this >> year: >> >> >>> >> ------------------------------------------------------------------------------------- >> >> >> >>> Further, I would like to use our self-signed and later "trusted" SSL >>> certificate for >>> the SSL communication, but the web page doc and the current config are >>> different: >>> >>> From the web page: >>> >>> >> enabled="true" >>> tcpPort="10636" >>> enableLdaps="true" >>> nbTcpThreads="8" >>> keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks" >>> certificatePassword="secret"> >>> #directoryService >>> >>> >>> >>> From what I see in our config: >>> >>> >> allowAnonymousAccess="false" >>> saslHost="ldap.netsuccess.ch" >>> saslPrincipal="ldap/ldap@netsuccess.ch" >>> searchBaseDn="ou=users,ou=system" >>> maxTimeLimit="15000" >>> maxSizeLimit="1000"> >>> >>> >> backLog="50" enableSSL="false"/> >>> >>> >>> >>> #directoryService >>> >>> >>> >>> >>> This appears quiet different, as some of the attributes in the sample >>> config ended up in the >>> definition ... where should the keystore definition go? >>> >> Yes. this has been changed from 1.5.4 to 1.5.5. The right place should >> be the 'ldapServer element': >> >> > keystoreFile="..." >> certificatePassword="secret" >> allowAnonymousAccess="false" >> saslHost="ldap.netsuccess.ch" >> saslPrincipal="ldap/ldap@netsuccess.ch" >> searchBaseDn="ou=users,ou=system" >> maxTimeLimit="15000" >> maxSizeLimit="1000"> >> >> >>> ------------------------------------------------------------------------------------- >>> >>> >> >> >> Best regards >> >> Beat >> >> >> On 06.01.2010 10:44 AM, Matthias Cramer wrote: >> >>> Hi Beat >>> >>> I'm using 1.5.5 >>> >>> Sorry for not mentioning it. >>> >>> Regards >>> >>> Matthias >>> >>> Beat Burgener | NetSuccess GmbH wrote: >>> >>> >>>> Matthias >>>> >>>> Which version of Apache DS do you use? >>>> >>>> Beat >>>> >>>> On 06.01.2010 10:32 AM, Matthias Cramer wrote: >>>> >>>> >>>>> Hi >>>>> >>>>> I'm fairly new to Apache DS but managed to get all working what I like >>>>> till now. I've generated an new SSL Cert and configured it into >>>>> server.xml so that it works for normal SSL ldaps connections. >>>>> But when I do starttl still the default certificate that came with the >>>>> package get's used. How do I replace this one. I did not find anything >>>>> on the website and google was of no help too. >>>>> >>>>> Any hint is appreciated. >>>>> >>>>> Regards >>>>> >>>>> Matthias >>>>> >>>>> >>>>> >>>>> >>> >>> > >