httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Bell <kb...@houston.sl.slb.com>
Subject [users@httpd] Re: Problems with mod_auth_ldap and tls/ldaps
Date Thu, 09 Oct 2003 13:18:13 GMT
Hi Dennis

Thanks for replying

I'm very familiar with the certificate CA issue, and have a CA certificate
installed. The location is specified with the LDAPTrustedCA and
LDAPTrustedCAType directives in mod_ldap.

I've built with OpenSSL, so should need a BASE64_FILE instead of the
CERT7_DB_PATH needed by the NetScape SDK. By turning up the logging, I find
that I'm going to my LDAP server with ldaps, but the ldap server and the
Apache never strike up a complete conversation. Since the traffic is
encrypted, I can't tell what is going on, but the streams are too short to
exchange certs.

What happened to the AuthLDAPStartTLS directive that I find in some older
Apache 2.0 documentation? This used to be how to use TLS with Rudedog's
module in Apache 1.3. This was much more efficient, because it did not do
cert checking. It was originally in the mod_ldap for Apache 2.0. Has this
been abandoned?

Ken


Date: Thu, 09 Oct 2003 08:35:10 +0200
To: users@httpd.apache.org
From: Dennis Lundberg <dennis.lundberg@mdh.se>
Subject: Re: [users@httpd] Problems with mod_auth_ldap and tls/ldaps
Message-ID: <3F85019E.6060408@mdh.se>

Hi there

It is possible to do this. We have done this in a test environment on=20
Solaris a while back. Now we are in the process of putting into=20
production use. However we have run into trouble on the compile part.=20
See my post from 2003-10-03 19:28.

When we succeded we used Netscape SDK 4.1. If I recall correctly you=20
needed to create a certificate-file of sorts. You can do this by=20
connecting to your LDAPS server with Netscape Navigator 4.x, on any=20
client. Use a URL of ldaps://yourserver.com/ Then you copy the cert7.db=20
file from that client to the server. I can't remember off hand exactly=20
where to put it.

I'll get back when we have our server up and running.nd


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message