httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <bnicho...@novell.com>
Subject Re: svn commit: r386776 - in /httpd/httpd/trunk/docs/manual/mod:mod_ldap.html.en mod_ldap.xml
Date Sat, 18 Mar 2006 17:24:37 GMT


>>> Graham Leggett <minfrin@sharp.fm> 3/18/2006 3:58:42 am >>>
trawick@apache.org wrote:

> URL: http://svn.apache.org/viewcvs?rev=386776&view=rev 
> Log:
> LDAPConnectionTimeout and LDAPVerifyServerCert can be configured
> per-vhost
>
>We need to note in addition to this that not all LDAP SDK libraries 
>support the concept of separately configurable "verify server cert" 
>behaviour.
>
>In other words, even though you specify LDAPVerifyServerCert in LDAP 
>connections from vhost A, you end up overriding this when you specify it 
>in vhost B.
>
>This affects people using the Novell SDK.
>
>I think putting a note in the directive pointing people to 
>http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#settingcerts will 
>save some questions on mailing lists.
>
>Regards,
>Graham
>--

Now that you mention it, allowing LDAPVerifyServerCert and LDAPConnectionTimeout to be overwritten
in a vhost is still wrong.  According to the code, none of the SDKs support setting verify
server cert on a per-connection basis, therefore GLOBAL_ONLY needs to be put back on this
directive and vhost merging needs to be modify to reflect that.  The connection time out appears
to be supported per-connection for the OpenLDAP SDK but the Novell LDAP SDK only supports
it on a global basis.  I would suggest that we make LDAPConnectionTimeout GLOBAL_ONLY also
since having the ability to set the timeout on a vhost basis has little value anyway.

Brad


Mime
View raw message