httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Leggett" <>
Subject Re: LDAPTrustedClientCert?
Date Tue, 24 Oct 2006 09:18:57 GMT
On Tue, October 24, 2006 5:40 am, Eric Covener wrote:

> Is anyone familiar wth the state of LDAPTrustedClientCert directive in
> trunk and 2.2.x?
> util_ldap.c:254
> Defined as RSRC_CONF, manual text and examples says directory/location
> container
> util_ldap.c:1635
> When the directive is used it results in an entry that's added to the
> same array as the LDAPTrustedGlobalCert?
> util_ldap.c:271
> Connection-time checks in util_ldap look at an array that isn't filled
> out by the directive
> It seems like this is directive should be relevant, but maybe not so
> important, to using the openldap SDK (assuming most people will have a
> bundle of CAs they trust, don't connect to many LDAP servers, and
> don't require a client cert)
> Is there some SDK where LDAPTrustedClientCert in present form somehow
> works?

Welcome to the world of LDAP SDKs, where each LDAP toolkit went out of
it's way to ensure that it's custom client and CA certificate handling
format was as different as humanly possible from each of the other LDAP

Both CA and client certificates are set globally server wide using the
LDAPTrustedGlobalCert directive.

Client certificates can be further set per connection inside a virtual
host or directory. These client certificates are set in addition to, and
not instead of the certificates set globally above. This is why the client
cert array is added to the global array inside a virtual host and/or

To get this to work, follow the instructions carefully for the LDAP SDK
you are using at

For example, if you are using OpenLDAP, you need to set you CA
certificates using LDAPTrustedGlobalCert, and set your client certificates
on a per connection basis inside a directory and/or virtual host container
using LDAPTrustedClientCert.

If you remain stuck, increase the debug level on the server to "debug",
and read carefully the debug messages that are logged by the LDAP modules.
The debug logging is very chatty in an attempt to explain exactly what the
module is trying to do, and hopefully why it's failing should it not work.


View raw message