httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <>
Subject Re: LDAPTrustedClientCert?
Date Mon, 30 Oct 2006 20:33:09 GMT
On 10/24/06, Graham Leggett <> wrote:
> For example, if you are using OpenLDAP, you need to set you CA
> certificates using LDAPTrustedGlobalCert, and set your client certificates
> on a per connection basis inside a directory and/or virtual host container
> using LDAPTrustedClientCert.

Some research shows only alpha releases of openldap even pretend to
allow the CERTFILE/KEYFILE on a per-connection (i.e. LDAP*) basis --
the latest "stable" and "released" levels (2.3.28, 2.3.27)
ldap_pvt_tls_set_option will  explicitly bail out of the
CERTFILE/KEYFILE options if the LDAP* parameter is set (unset=global).
 This manifests as a bad rc from ldap_set_option().

util_ldap doesn't hit this condition because it never calls anything
on a per-connection basis, despite documentation.
1) util_ldap ignores LDAPTrustedClientCert if it's in a vhost (loses
track of it)
2) util_ldap treats LDAPTrustedClientCert as LDAPTrustedGlobalCert if
it's in the base server (consequence of how it's stashed away and
3) util_ldap doesn't accept LDAPTrustedClientCert in a directory container

Using a small test program and the alpha openldap (2.4.3), setting a
global CA and per-connection client cert/key got a little farther, but
openldap ended up sending out a client-certificate handshake messages
with 0-length client cert (as compared to doing the same
initialization globally and seeing the proper client cert go out over
the wire).

Almost seems like openldap per-connection settings for SSL are a dead
end at this time, unless I'm getting extremely unlucky.

Eric Covener

View raw message