httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: LDAP SDK behaviour and mod_ldap
Date Fri, 21 May 2004 20:11:17 GMT
Brad Nicholes wrote:

>   My feeling is that about the best we could do is to allow the
> LDAPTrustedCA and LDAPTrustedCAType directives to be callable from
> within a virtualhost configurtion and keep a list of certificates that
> can then be passed to the LDAP libraries during the post_config.  But
> this would really only make sense for OpenLDAP and Novell.  Since
> Netscape requires a CERT7 database file, it wouldn't know how to handle
> multiple files and these directives are NOOPs for Microsoft.  Then it
> might lead the administrator to believe that certain virtual hosts are
> using certain certificates when in fact that wouldn't be the case.  All
> virtual hosts would use all specified certificates.

At the moment if you place LDAPTrustedCA directives inside virtual 
hosts, it silently ignores the options instead of throwing errors, which 
is also bad.

In theory there shouldn't be too much a a need for setting per 
virtualhost client certs, as it's Apache doing the connecting to LDAP, 
not the other way around. (I'm not sure whether saying "this solution is 
good enough for everybody" is the right thing either, just wondering 
what is practical.)


View raw message