You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Nick Duan <nd...@dtechspace.com> on 2012/11/22 19:31:33 UTC
Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8
Could someone share some info/hits on how to setup ApacheDS 2.0 with 1 way
and 2 way SSL (LDAPS)? I was able to enable to run LDAPS in 1 way SSL with
the server using ApacheStudio by enabling the default LDAPS settings on
ApacheDS and using the server self-generated certs, but unable to configure
the server using external certificates. It seems there is lack of doc on
this topic. I am particularly interested in finding answers to the
following problems:
1. I found the two LDAPS related attributes, ads-certificatePassword
and ads=keystoreFile, under the node ou=config, ou=service,
ou=ads-serviceid=ldapServer, but couldn't find any attribute that specifies
the keystore password. Would a keystore password required in this case?
2. How to specify truststore file path and password, and cert id,
etc.? If to configure LDAPS using 2 way SSL (i.e. using client cert for
authentication)
3. Where is the default self-signed certificate file/keystore
generated by ApacheDS?
Any help and suggestions are highly appreciated.
ND
Re: Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 11/26/12 5:28 AM, Nick Duan a écrit :
> Thanks a lot for all your responses. I am sorry to hear that client
> authentication using X.509 cert isn't implemented in Apache DS. Is there
> any plan to implement this in future releases?
Yes, definitively.
> Could someone perhaps point
> out which class/package in ApacheDS is responsible for handling the SSL
> connection?
This is not that simple...
SSL is handle in two places in the server :
1) In MINA (the network layer) when you use LDAPS
2) In the apacheds/protocol-ldap module, in the StartTlsHandler class
when you use StartTLS instead of LDPAS.
All the handshake is done by MINA.
Currently we only use the NoVerificationTrustManager class, so it
accepts all the incoming clients.
We certinly want to improve this area. I have created a JIRA for that FYI.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8
Posted by Nick Duan <nd...@dtechspace.com>.
Thanks a lot for all your responses. I am sorry to hear that client
authentication using X.509 cert isn't implemented in Apache DS. Is there
any plan to implement this in future releases? Could someone perhaps point
out which class/package in ApacheDS is responsible for handling the SSL
connection?
Thanks!
ND
-----Original Message-----
From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On Behalf Of
Kiran Ayyagari
Sent: Sunday, November 25, 2012 12:37 PM
To: users@directory.apache.org
Subject: Re: Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8
On Fri, Nov 23, 2012 at 12:01 AM, Nick Duan <nd...@dtechspace.com> wrote:
> Could someone share some info/hits on how to setup ApacheDS 2.0 with 1
> way and 2 way SSL (LDAPS)? I was able to enable to run LDAPS in 1 way
> SSL with the server using ApacheStudio by enabling the default LDAPS
> settings on ApacheDS and using the server self-generated certs, but unable
to configure
> the server using external certificates. It seems there is lack of doc on
> this topic. I am particularly interested in finding answers to the
> following problems:
>
>
>
> 1. I found the two LDAPS related attributes, ads-certificatePassword
> and ads=keystoreFile, under the node ou=config, ou=service,
> ou=ads-serviceid=ldapServer, but couldn't find any attribute that
specifies
> the keystore password. Would a keystore password required in this case?
>
> yes, it appears that ads-certificatePassword is used as keystore
> password
(looks like a bad config name)
> 2. How to specify truststore file path and password, and cert id,
> etc.? If to configure LDAPS using 2 way SSL (i.e. using client cert
> for
> authentication)
>
> currently 2 way SSL is not supported (server accepts all client
certificates), can you raise a feature request in JIRA?
But prior to that It would help us if you can provide more details about the
use case.
> 3. Where is the default self-signed certificate file/keystore
> generated by ApacheDS?
>
>
> in the entry uid=admin,ou=system
>
> Any help and suggestions are highly appreciated.
>
>
>
> ND
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Nov 23, 2012 at 12:01 AM, Nick Duan <nd...@dtechspace.com> wrote:
> Could someone share some info/hits on how to setup ApacheDS 2.0 with 1 way
> and 2 way SSL (LDAPS)? I was able to enable to run LDAPS in 1 way SSL with
> the server using ApacheStudio by enabling the default LDAPS settings on
> ApacheDS and using the server self-generated certs, but unable to configure
> the server using external certificates. It seems there is lack of doc on
> this topic. I am particularly interested in finding answers to the
> following problems:
>
>
>
> 1. I found the two LDAPS related attributes, ads-certificatePassword
> and ads=keystoreFile, under the node ou=config, ou=service,
> ou=ads-serviceid=ldapServer, but couldn't find any attribute that specifies
> the keystore password. Would a keystore password required in this case?
>
> yes, it appears that ads-certificatePassword is used as keystore password
(looks like a bad config name)
> 2. How to specify truststore file path and password, and cert id,
> etc.? If to configure LDAPS using 2 way SSL (i.e. using client cert for
> authentication)
>
> currently 2 way SSL is not supported (server accepts all client
certificates), can you raise a feature request in JIRA?
But prior to that It would help us if you can provide more details about
the use case.
> 3. Where is the default self-signed certificate file/keystore
> generated by ApacheDS?
>
>
> in the entry uid=admin,ou=system
>
> Any help and suggestions are highly appreciated.
>
>
>
> ND
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Configure LDAPS with 1x and 2x SSL on ApacheDS 2.0 M8
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 11/22/12 7:31 PM, Nick Duan a écrit :
> Could someone share some info/hits on how to setup ApacheDS 2.0 with 1 way
> and 2 way SSL (LDAPS)? I was able to enable to run LDAPS in 1 way SSL with
> the server using ApacheStudio by enabling the default LDAPS settings on
> ApacheDS and using the server self-generated certs, but unable to configure
> the server using external certificates. It seems there is lack of doc on
> this topic.
true.
> I am particularly interested in finding answers to the
> following problems:
>
>
>
> 1. I found the two LDAPS related attributes, ads-certificatePassword
> and ads=keystoreFile, under the node ou=config, ou=service,
> ou=ads-serviceid=ldapServer, but couldn't find any attribute that specifies
> the keystore password. Would a keystore password required in this case?
no. Storng the external keystore password in the server would be a
security breach, IMO.
>
> 2. How to specify truststore file path and password, and cert id,
> etc.? If to configure LDAPS using 2 way SSL (i.e. using client cert for
> authentication)
not sure I understand...
>
> 3. Where is the default self-signed certificate file/keystore
> generated by ApacheDS?
it's stored in the uid=admin, ou=system entry.
Note that we have to improve this area. Any feedback is welcome !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com