Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 74343 invoked from network); 26 Oct 2006 05:59:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Oct 2006 05:59:20 -0000 Received: (qmail 10174 invoked by uid 500); 24 Oct 2006 09:19:31 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 10103 invoked by uid 500); 24 Oct 2006 09:19:31 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 10092 invoked by uid 99); 24 Oct 2006 09:19:31 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Oct 2006 02:19:31 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of minfrin@sharp.fm designates 64.49.220.200 as permitted sender) Received: from [64.49.220.200] (HELO chandler.sharp.fm) (64.49.220.200) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Oct 2006 02:19:18 -0700 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id C8AF5E5C91 for ; Tue, 24 Oct 2006 04:18:57 -0500 (CDT) Received: from www.sharp.fm (unknown [209.61.173.189]) by chandler.sharp.fm (Postfix) with ESMTP id AB95FE52F3; Tue, 24 Oct 2006 04:18:57 -0500 (CDT) Received: from 196.8.104.27 (SquirrelMail authenticated user minfrin@sharp.fm) by www.sharp.fm with HTTP; Tue, 24 Oct 2006 11:18:57 +0200 (SAST) Message-ID: <45666.196.8.104.27.1161681537.squirrel@www.sharp.fm> In-Reply-To: <1404e5910610232040q6dd4137aj408ac48cc59bb9ba@mail.gmail.com> References: <1404e5910610232040q6dd4137aj408ac48cc59bb9ba@mail.gmail.com> Date: Tue, 24 Oct 2006 11:18:57 +0200 (SAST) Subject: Re: LDAPTrustedClientCert? From: "Graham Leggett" To: dev@httpd.apache.org Cc: dev@httpd.apache.org User-Agent: SquirrelMail/1.4.8-2.el4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org On Tue, October 24, 2006 5:40 am, Eric Covener wrote: > Is anyone familiar wth the state of LDAPTrustedClientCert directive in > trunk and 2.2.x? > > util_ldap.c:254 > Defined as RSRC_CONF, manual text and examples says directory/location > container > > util_ldap.c:1635 > When the directive is used it results in an entry that's added to the > same array as the LDAPTrustedGlobalCert? > > util_ldap.c:271 > Connection-time checks in util_ldap look at an array that isn't filled > out by the directive > > It seems like this is directive should be relevant, but maybe not so > important, to using the openldap SDK (assuming most people will have a > bundle of CAs they trust, don't connect to many LDAP servers, and > don't require a client cert) > > Is there some SDK where LDAPTrustedClientCert in present form somehow > works? Welcome to the world of LDAP SDKs, where each LDAP toolkit went out of it's way to ensure that it's custom client and CA certificate handling format was as different as humanly possible from each of the other LDAP SDKs. Both CA and client certificates are set globally server wide using the LDAPTrustedGlobalCert directive. Client certificates can be further set per connection inside a virtual host or directory. These client certificates are set in addition to, and not instead of the certificates set globally above. This is why the client cert array is added to the global array inside a virtual host and/or directory. To get this to work, follow the instructions carefully for the LDAP SDK you are using at http://httpd.apache.org/docs/trunk/mod/mod_ldap.html#settingcerts. For example, if you are using OpenLDAP, you need to set you CA certificates using LDAPTrustedGlobalCert, and set your client certificates on a per connection basis inside a directory and/or virtual host container using LDAPTrustedClientCert. If you remain stuck, increase the debug level on the server to "debug", and read carefully the debug messages that are logged by the LDAP modules. The debug logging is very chatty in an attempt to explain exactly what the module is trying to do, and hopefully why it's failing should it not work. Regards, Graham --