httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Lundberg <dennis.lundb...@mdh.se>
Subject Re: [users@httpd] Re: Problems with mod_auth_ldap and tls/ldaps
Date Fri, 10 Oct 2003 06:40:54 GMT
Hi Ken

I am assuming you mean OpenLDAP and not OpenSSL in your reply below.

If I recall correctly you can only use TLS when you build mod_auth_ldap 
with OpenLDAP, not SSL. When using TLS I don't think that it is possible 
to use ldaps: URL:s, but you can try to use ldap://yourserver.com:636/ 
instead. The issue of TLS also applies to your LDAP server. Does it 
support TLS? We use Novell and it doesn't support TLS.

Ken Bell wrote:
> Hi Dennis
> 
> Thanks for replying
> 
> I'm very familiar with the certificate CA issue, and have a CA certificate
> installed. The location is specified with the LDAPTrustedCA and
> LDAPTrustedCAType directives in mod_ldap.
> 
> I've built with OpenSSL, so should need a BASE64_FILE instead of the
> CERT7_DB_PATH needed by the NetScape SDK. By turning up the logging, I find
> that I'm going to my LDAP server with ldaps, but the ldap server and the
> Apache never strike up a complete conversation. Since the traffic is
> encrypted, I can't tell what is going on, but the streams are too short to
> exchange certs.
> 
> What happened to the AuthLDAPStartTLS directive that I find in some older
> Apache 2.0 documentation? This used to be how to use TLS with Rudedog's
> module in Apache 1.3. This was much more efficient, because it did not do
> cert checking. It was originally in the mod_ldap for Apache 2.0. Has this
> been abandoned?
> 
> Ken
> 
> 
> Date: Thu, 09 Oct 2003 08:35:10 +0200
> To: users@httpd.apache.org
> From: Dennis Lundberg <dennis.lundberg@mdh.se>
> Subject: Re: [users@httpd] Problems with mod_auth_ldap and tls/ldaps
> Message-ID: <3F85019E.6060408@mdh.se>
> 
> Hi there
> 
> It is possible to do this. We have done this in a test environment on=20
> Solaris a while back. Now we are in the process of putting into=20
> production use. However we have run into trouble on the compile part.=20
> See my post from 2003-10-03 19:28.
> 
> When we succeded we used Netscape SDK 4.1. If I recall correctly you=20
> needed to create a certificate-file of sorts. You can do this by=20
> connecting to your LDAPS server with Netscape Navigator 4.x, on any=20
> client. Use a URL of ldaps://yourserver.com/ Then you copy the cert7.db=20
> file from that client to the server. I can't remember off hand exactly=20
> where to put it.
> 
> I'll get back when we have our server up and running.nd
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

-- 
Dennis Lundberg, Utvecklingsledare, IT-avdelningen
e-post: dennis.lundberg@mdh.se
http://www.mdh.se/personal/VisaPerson?fornamn=Dennis&efternamn=Lundberg
tel: +46-(0)21-101516, fax: +46-(0)21-101636
Mälardalens högskola, Box 883, SE-72123 Västerås, SWEDEN


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message