Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 33540 invoked from network); 6 Jan 2010 14:26:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 6 Jan 2010 14:26:45 -0000 Received: (qmail 56846 invoked by uid 500); 6 Jan 2010 14:26:45 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 56792 invoked by uid 500); 6 Jan 2010 14:26:44 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 56782 invoked by uid 99); 6 Jan 2010 14:26:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 14:26:44 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of beat.burgener@netsuccess.ch designates 195.141.102.20 as permitted sender) Received: from [195.141.102.20] (HELO fg02.dc1.netsuccess.ch) (195.141.102.20) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 14:26:34 +0000 Received: from [10.0.0.193] (251-41-60-212-static.cable.fcom.ch [212.60.41.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fg02.dc1.netsuccess.ch (Postfix) with ESMTP id C8528F4001A; Wed, 6 Jan 2010 15:26:11 +0100 (CET) Message-ID: <4B449D84.9070003@netsuccess.ch> Date: Wed, 06 Jan 2010 15:26:12 +0100 From: Beat Burgener | NetSuccess GmbH Organization: NetSuccess GmbH User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: [ApacheDS] Ceritficate for StartTLS References: <4B4458A4.5090005@iway.ch> <4B4459BA.5060201@netsuccess.ch> <4B445B89.8050804@iway.ch> <4B446C28.2010901@netsuccess.ch> <4B44743B.1070105@iway.ch> <4B447B3A.7020802@netsuccess.ch> <4B447FCE.2080202@iway.ch> <4B448203.4090102@apache.org> In-Reply-To: <4B448203.4090102@apache.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Stefan, thank you for pointing this out. BTW: I just found out that I still have 1.5.4 ;-( BTW2: I personally do not suggest storing the certificate data within the LDAP directory itself, although there are fields available. If you have a certificate used for "ssl.xyz.com", used for web, ldap and so on, compromising the LDAP account or ApacheDS through LDAP protocol might reveal the private key - or am I wrong on this? I know that more and more directories start storing PKI data within the storage engine (Microsoft ADS does this too), but somehow I don't feel comfortable with this ... BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via the ApacheDS configuration? That's why I use LDAPS, which does not support plain text connections AFAIK. For LDAP, I don't feel in the position to control that as the client use StartTLS or not ... Thank you and sorry for consufing on the versions of ApacheDS ... Beat On 06.01.2010 13:28 PM, Stefan Seelmann wrote: > Hi Matthias, > > Matthias Cramer wrote: >> >> As it looks like, the starttls extension does not honor the keystore >> configured in the ldapServer config. > > Yes, you are right. I just checked the source code and the configured > keystore in server.xml isn't used for StartTLS extended operation :-/ > > You could find the certificate and key that is use in the Admin Entry > (uid=admin,ou=system): > > dn: uid=admin,ou=system > keyAlgorithm: RSA > privateKey:: ... > privateKeyFormat: PKCS#8 > publicKey:: ... > publicKeyFormat: X.509 > userCertificate:: ... > ... > > What you need to do is to extract the private key, public key and > certificate from your keystore and replace the attributes privateKey, > publicKey and userCertificate with those guys. You could use Portacle > and OpenSSL to extract those information. If you need further help > don't hesitate to ask. > > Not very user friendly right now... > > Kind Regards, > Stefan > >