httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: LDAPTrustedClientCert?
Date Wed, 15 Nov 2006 21:53:57 GMT
On 10/31/06, Graham Leggett <minfrin@sharp.fm> wrote:
> On Tue, October 31, 2006 1:25 am, Eric Covener wrote:
> Not having looked at the openldap SDK for a while - at what point do we
> call ldap_set_option(...,APR_LDAP_OPT_X_TLS_NEWCTX,...) - is this done
> just before connection? Or is it done when setting the client certificate?

Oops, just occured to me that my svn diff didn't pick up the
accompanying apr-util changes.  These changes happen right after the
client certificate is set with ldap_set_option()
http://mail-archives.apache.org/mod_mbox/apr-dev/200611.mbox/%3c1404e5910611141121k736e5e8dr2bcf22baa55b8fe9@mail.gmail.com%3e

The patch above is required to get the LDAPTrustedClientCert stuff we
push onto the LDAP* to actually affect the openldap/openssl TLS
environment.

Attached here are patches against trunk for the httpd side.  This
makes LDAPTrustedClientCert really act like a per-directory
configuration setting.

Linking against openldap-HEAD you can do:

LDAPTrustedGlobalCert CA_BASE64 /home/covener/CA.crt
LDAPTrustedGlobalCert CERT_BASE64 /home/covener/cert.pem
LDAPTrustedGlobalCert KEY_BASE64 /home/covener/cert..key
<Location /default>
AuthLDAPURL ...
...
<Location /other>
LDAPTrustedClientCert CERT_BASE64 /home/covener/other.pem
LDAPTrustedClientCert KEY_BASE64 /home/covener/other.key
AuthLDAPURL ...
...

The attached doc patch is a bit fishy -- I didn't see a precedent for
this kind of "teaser". The alternative is to claim global client certs
only for OpenLDAP until openldap 2.4.x is mainstream.

While I didn't yet get a chance to test w/ Mozilla, this can't do
anything but help per-connection nicknames become usable.

(Thanks for keeping an eye on this thread)

-- 
Eric Covener
covener@gmail.com

Mime
View raw message