httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: LDAPTrustedClientCert?
Date Tue, 24 Oct 2006 12:22:17 GMT
On 10/24/06, Graham Leggett <minfrin@sharp.fm> wrote:
> On Tue, October 24, 2006 5:40 am, Eric Covener wrote:
> > util_ldap.c:254
> > Defined as RSRC_CONF, manual text and examples says directory/location
> > container

> Both CA and client certificates are set globally server wide using the
> LDAPTrustedGlobalCert directive.
>
> Client certificates can be further set per connection inside a virtual
> host or directory.

>These client certificates are set in addition to, and
> not instead of the certificates set globally above. This is why the client
> cert array is added to the global array inside a virtual host and/or
> directory.

Unless I'm confused LDAPTrustedClientCert isn't accepted in a
directory context, despite the manual entry.

When you add it to a vhost, it appears that it will be added (only )
to the global_certs array in the per-vhost module config -- but the
global_certs that are actually used are the ones in the base server
config.

I verified with some simple trace in util_ldap that this is the case
-- the only time adding the ClientCerts to the global_certs array
works out is when they're in the base server config (which maks them
effectively indistinguishable from LDAPTrustedGlobalCert, except we're
pickier about what types of things will allow to be added)

There doesn't appear to be any opportunity for the
LDAPTrustedClientCert to do anything outside of the base server
config.  When we come back in on a per-connection basis we don't have
the client_certs stashed away anywhere, and we don't check
global_certs.

-- 
Eric Covener
covener@gmail.com

Mime
View raw message