From users-return-4926-apmail-directory-users-archive=directory.apache.org@directory.apache.org Sat Nov 24 23:12:50 2012 Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BCCBCD024 for ; Sat, 24 Nov 2012 23:12:50 +0000 (UTC) Received: (qmail 48202 invoked by uid 500); 24 Nov 2012 23:12:50 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 48165 invoked by uid 500); 24 Nov 2012 23:12:49 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 48144 invoked by uid 99); 24 Nov 2012 23:12:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Nov 2012 23:12:49 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates 209.85.212.170 as permitted sender) Received: from [209.85.212.170] (HELO mail-wi0-f170.google.com) (209.85.212.170) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Nov 2012 23:12:41 +0000 Received: by mail-wi0-f170.google.com with SMTP id hq7so2086677wib.1 for ; Sat, 24 Nov 2012 15:12:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=K5H2n3ldLipvPtAk3Ko33sWhgliqihL9w75J0QItFJ8=; b=XfZblAMEA2YGoI6/cEqo9dTRc8RVAzW81s2InpGrbsl92jbyhSXNrPmpEi0BE3SNoS 9jWvgw6E0eoappQx1dpatwDnLocFD1RFVzX80PXKxYGfWSqzmC3tUtDtgL6UTp0eIc+W HJb7S55d1mRD3gtwT+ZUw6IyK4sTuzYG/TrAEFYTlEHdxsFdVrw8kdNNaSbf3uPQpOS8 ZdtgfuzZ0It6Kgs1kXa+CH3DkR2dj9Zxw8/+er/ICHX1qxig0rMRJLUjJU/1sb91Yn5Q M/XVRS/k8kidbrVLVUInjHEyzG3VqFHrktDlaIfZzqTIGKyJRziz12Y6OCk/W/1Aw0SL o6mg== Received: by 10.180.108.38 with SMTP id hh6mr15421641wib.0.1353798741149; Sat, 24 Nov 2012 15:12:21 -0800 (PST) Received: from host-002.darty (58.159-227-89.dsl.completel.net. [89.227.159.58]) by mx.google.com with ESMTPS id y3sm14672006wix.6.2012.11.24.15.12.20 (version=SSLv3 cipher=OTHER); Sat, 24 Nov 2012 15:12:20 -0800 (PST) Message-ID: <50B15453.8010401@gmail.com> Date: Sun, 25 Nov 2012 00:12:19 +0100 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= Reply-To: elecharny@apache.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:16.0) Gecko/20121026 Thunderbird/16.0.2 MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8 References: <009401cdc8df$9a0b0c90$ce2125b0$@dtechspace.com> In-Reply-To: <009401cdc8df$9a0b0c90$ce2125b0$@dtechspace.com> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Le 11/22/12 7:31 PM, Nick Duan a écrit : > Could someone share some info/hits on how to setup ApacheDS 2.0 with 1 way > and 2 way SSL (LDAPS)? I was able to enable to run LDAPS in 1 way SSL with > the server using ApacheStudio by enabling the default LDAPS settings on > ApacheDS and using the server self-generated certs, but unable to configure > the server using external certificates. It seems there is lack of doc on > this topic. true. > I am particularly interested in finding answers to the > following problems: > > > > 1. I found the two LDAPS related attributes, ads-certificatePassword > and ads=keystoreFile, under the node ou=config, ou=service, > ou=ads-serviceid=ldapServer, but couldn't find any attribute that specifies > the keystore password. Would a keystore password required in this case? no. Storng the external keystore password in the server would be a security breach, IMO. > > 2. How to specify truststore file path and password, and cert id, > etc.? If to configure LDAPS using 2 way SSL (i.e. using client cert for > authentication) not sure I understand... > > 3. Where is the default self-signed certificate file/keystore > generated by ApacheDS? it's stored in the uid=admin, ou=system entry. Note that we have to improve this area. Any feedback is welcome ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com