httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 26390] - LDAPTrustedCA inside VirtualHost
Date Fri, 21 May 2004 20:07:53 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=26390>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=26390

LDAPTrustedCA inside VirtualHost





------- Additional Comments From minfrin@sharp.fm  2004-05-21 20:07 -------
Comment from dev@httpd.apache.org:

Brad Nicholes wrote:
>    This is something that I have been wanting to do for sometime but
> haven't given it much thought until now.  I talked to some of our Novell
> LDAP engineers to get a better perspective on this.  According to them,
> per-session certificates will not work in Novell LDAP and they also
> believe that it doesn't work for Netscape or Microsoft either.  They
> also had some concerns about OpenLDAP as well and although per-session
> certificates appear to be supported, they weren't sure how well it
> actually worked.  
>   Just looking at the code in the util_ldap_post_config() routine and
> how each of them set up the certificates, I wouldn't expect Netscape,
> Novell or Microsoft SDK's to support per-session certificates.  The
> Netscape SDK and the Novell SDK use the same function to initialize the
> SSL libraries, but even though the current util_ldap code for Novell
> isn't written this way, the Novell SDK allows the user to configure a
> list of certificates rather than a single certificate by calling
> ldapssl_add_trusted_cert().  The Netscape SDK probably allows for the
> same thing through their CERT7 database file which is required.  The
> Microsoft SDK appears to pull its certificate from the registry so I
> have no idea if it even allows for multiple certificates.  All of these
> methods appear to be global rather than per-session.  
>   My feeling is that about the best we could do is to allow the
> LDAPTrustedCA and LDAPTrustedCAType directives to be callable from
> within a virtualhost configurtion and keep a list of certificates that
> can then be passed to the LDAP libraries during the post_config.  But
> this would really only make sense for OpenLDAP and Novell.  Since
> Netscape requires a CERT7 database file, it wouldn't know how to handle
> multiple files and these directives are NOOPs for Microsoft.  Then it
> might lead the administrator to believe that certain virtual hosts are
> using certain certificates when in fact that wouldn't be the case.  All
> virtual hosts would use all specified certificates.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message