-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support configurable certificate settings in LDAP SSL/TLS connections #82
Comments
I like the idea of this patch; in a similar vein, I have received requests about how to configure SSL/TLS certs for e.g. mod_sql talking to the SQL database via SSL/TLS (see Bug#4200). So now I'm wondering whether these sorts of settings can be reused and/or configured in mod_tls, and used by other modules such as mod_ldap, mod_sql, etc. What would you think of that idea? |
I'm not sure it would be correct, because usually those certificates are different. Of course there are cases when someone use one certificate+key for everything on 200 boxes, but I wouldn't trust such "secure" network :-) And at least client certificates for LDAP and SQL database should not be the same. |
Agreed about using different certificates for SQL databases vs LDAP directories. For the recent 1.3.6rc2 release, I ended up enhancing the existing
Given the way that TLS stacks are moving away from CRLs and more towards OCSP, I'm thinking that the CRL-related tweaks may not be needed. At least not initially. Thoughts? |
What root certificates does mod_ldap check against? I'm having trouble using LDAPS against Active Directory using a server certificate generated from our enterprise CA. I would have assumed it would check the local list of root certs. I'm on CentOS 7. I've added our trusted root certificate to the certificate store and proved it's in the ca-bundle.crt list following these directions. I can confirm connectivity to my AD server using the openssl client, but mod_ldap fails to connect. Thanks. |
@silverl Assuming your |
We can close this out. I figured it out. I believe I was having trouble due to specifying ldaps:// urls and also having LDAPUseTLS on. I think the documentation could be made much more explicit in warning users NOT to enable LDAPUseTLS if you want to use ldaps:// URLs. The openldap libraries will throw an error or warning when TLS is already engaged and startTLS is attempted. I think this was causing the problem. |
… the `LDAPServer` directive, as opposed to the ldap.conf(5) file.
Issue #82: Implement support for configuring SSL-related settings via…
Now supported in |
Here's a long-awaiting patch that I found years ago and adapted for 1.3.3-1.3.5 (afaik).
Might require some additional work/close review, but it works for me as expected with 1.3.5 on Linux x86_64.
The text was updated successfully, but these errors were encountered: