Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Message-Id: <s0adf896.080@sinclair.provo.novell.com>
Date: Fri, 21 May 2004 12:39:39 -0600
From: "Brad Nicholes" <BNICHOLES@novell.com>
To: <dev@httpd.apache.org>,<minfrin@sharp.fm>
Subject: Re: LDAP SDK behaviour and mod_ldap
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

   This is something that I have been wanting to do for sometime but
haven't given it much thought until now.  I talked to some of our Novell
LDAP engineers to get a better perspective on this.  According to them,
per-session certificates will not work in Novell LDAP and they also
believe that it doesn't work for Netscape or Microsoft either.  They
also had some concerns about OpenLDAP as well and although per-session
certificates appear to be supported, they weren't sure how well it
actually worked.  
  Just looking at the code in the util_ldap_post_config() routine and
how each of them set up the certificates, I wouldn't expect Netscape,
Novell or Microsoft SDK's to support per-session certificates.  The
Netscape SDK and the Novell SDK use the same function to initialize the
SSL libraries, but even though the current util_ldap code for Novell
isn't written this way, the Novell SDK allows the user to configure a
list of certificates rather than a single certificate by calling
ldapssl_add_trusted_cert().  The Netscape SDK probably allows for the
same thing through their CERT7 database file which is required.  The
Microsoft SDK appears to pull its certificate from the registry so I
have no idea if it even allows for multiple certificates.  All of these
methods appear to be global rather than per-session.  
  My feeling is that about the best we could do is to allow the
LDAPTrustedCA and LDAPTrustedCAType directives to be callable from
within a virtualhost configurtion and keep a list of certificates that
can then be passed to the LDAP libraries during the post_config.  But
this would really only make sense for OpenLDAP and Novell.  Since
Netscape requires a CERT7 database file, it wouldn't know how to handle
multiple files and these directives are NOOPs for Microsoft.  Then it
might lead the administrator to believe that certain virtual hosts are
using certain certificates when in fact that wouldn't be the case.  All
virtual hosts would use all specified certificates.

Brad

Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com 

>>> minfrin@sharp.fm Thursday, May 20, 2004 7:35:48 PM >>>
Hi all,

There is a request outstanding for the ability to specify the trusted
CA 
for TLS on a per virtualhost basis.

With openldap, the TLS setting can be set per connection with the 
ldap_set_option() function. I don't have info for the ways that the 
Netscape, Netware or Microsoft SDKs work - can anyone confirm whether 
setting the CA can be set on a per connection basis?

Regards,
Graham
--