Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 94466 invoked from network); 18 Mar 2006 17:25:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 18 Mar 2006 17:25:25 -0000 Received: (qmail 82254 invoked by uid 500); 18 Mar 2006 17:25:12 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 82175 invoked by uid 500); 18 Mar 2006 17:25:12 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 82062 invoked by uid 99); 18 Mar 2006 17:25:11 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Mar 2006 09:25:11 -0800 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [137.65.81.169] (HELO sinclair.provo.novell.com) (137.65.81.169) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Mar 2006 09:25:09 -0800 Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Sat, 18 Mar 2006 10:24:48 -0700 Message-Id: <441BDFE2.3235.00AC.0@novell.com> X-Mailer: Novell GroupWise Internet Agent 7.0.1 Beta Date: Sat, 18 Mar 2006 10:24:37 -0700 From: "Brad Nicholes" To: , Subject: Re: svn commit: r386776 - in /httpd/httpd/trunk/docs/manual/mod:mod_ldap.html.en mod_ldap.xml References: <20060318004816.15893.qmail@minotaur.apache.org> <441BE7E2.8030801@sharp.fm> In-Reply-To: <441BE7E2.8030801@sharp.fm> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 500/1000/N >>> Graham Leggett 3/18/2006 3:58:42 am >>> trawick@apache.org wrote: > URL: http://svn.apache.org/viewcvs?rev=3D386776&view=3Drev=20 > Log: > LDAPConnectionTimeout and LDAPVerifyServerCert can be configured > per-vhost > >We need to note in addition to this that not all LDAP SDK libraries=20 >support the concept of separately configurable "verify server cert"=20 >behaviour. > >In other words, even though you specify LDAPVerifyServerCert in LDAP=20 >connections from vhost A, you end up overriding this when you specify = it=20 >in vhost B. > >This affects people using the Novell SDK. > >I think putting a note in the directive pointing people to=20 >http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#settingcerts will=20 >save some questions on mailing lists. > >Regards, >Graham >-- Now that you mention it, allowing LDAPVerifyServerCert and LDAPConnectionTi= meout to be overwritten in a vhost is still wrong. According to the code, = none of the SDKs support setting verify server cert on a per-connection = basis, therefore GLOBAL_ONLY needs to be put back on this directive and = vhost merging needs to be modify to reflect that. The connection time out = appears to be supported per-connection for the OpenLDAP SDK but the Novell = LDAP SDK only supports it on a global basis. I would suggest that we make = LDAPConnectionTimeout GLOBAL_ONLY also since having the ability to set the = timeout on a vhost basis has little value anyway. Brad