You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Steve (JIRA)" <ji...@apache.org> on 2008/04/24 17:55:22 UTC
[jira] Created: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
SSL Cert Compatibility issue with LDAPS for Outlook Clients
-----------------------------------------------------------
Key: DIRSERVER-1164
URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
Project: Directory ApacheDS
Issue Type: Improvement
Components: ldap
Affects Versions: 1.5.2
Reporter: Steve
Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
for modifying the SSL key is programatically this way :
EntryOperationContext adminEntry = new EntryOperationContext(
directoryService.getRegistries(), PartitionNexus.getAdminName());
if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
KeyStore store = // load some store from p12 for example
KeyPair keyPair = // load some keypair from store
Attributes entry = new BasicAttributes();
PrivateKey privateKey = keyPair.getPrivate();
entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
.getAlgorithm());
entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
.getFormat());
PublicKey publicKey = keyPair.getPublic();
entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
.getFormat());
Certificate cert = store.getCertificate(alias);
entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
List<Modification> items = ModifyOperationContext.createModItems(
ServerEntryUtils.toServerEntry(entry, PartitionNexus
.getAdminName(), directoryService.getRegistries()),
ModificationOperation.REPLACE_ATTRIBUTE);
directoryService.getPartitionNexus().modify(
new ModifyOperationContext(
directoryService.getRegistries(), PartitionNexus
.getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari reassigned DIRSERVER-1164:
-----------------------------------------
Assignee: Kiran Ayyagari (was: Alex Karasulu)
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Assignee: Kiran Ayyagari
> Fix For: 2.0.0-RC1
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1164) SSL Cert Compatibility issue
with LDAPS for Outlook Clients
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12905450#action_12905450 ]
Kiran Ayyagari commented on DIRSERVER-1164:
-------------------------------------------
Have applied a fix here http://svn.apache.org/viewvc?rev=991852&view=rev
Can somebody ( who have outlook) test it to see if this fixes the issue?
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Assignee: Kiran Ayyagari
> Fix For: 2.0.0-RC1
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1164:
-----------------------------------------
Fix Version/s: 1.5.4
Should be easy to fix.
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Fix For: 1.5.4
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu reassigned DIRSERVER-1164:
----------------------------------------
Assignee: Alex Karasulu
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Assignee: Alex Karasulu
> Fix For: 1.5.4
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-1164:
-------------------------------------
Fix Version/s: (was: 1.5.4)
1.5.6
This requires a CLI tool command to change the DN of the certificate and just replace it. So I will delay this until we have time to add this feature.
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Assignee: Alex Karasulu
> Fix For: 1.5.6
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1164:
-----------------------------------------
Fix Version/s: (was: 1.5.6)
2.0.0-RC1
Moved to 2.0.0-RC1, we won't release a 1.5.6
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Assignee: Alex Karasulu
> Fix For: 2.0.0-RC1
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1164) SSL Cert Compatibility issue
with LDAPS for Outlook Clients
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12626272#action_12626272 ]
Alex Karasulu commented on DIRSERVER-1164:
------------------------------------------
Status?
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Fix For: 1.5.4
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DIRSERVER-1164) SSL Cert Compatibility issue with
LDAPS for Outlook Clients
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari closed DIRSERVER-1164.
-------------------------------------
Resolution: Fixed
Closing this issue, reopen if needed.
> SSL Cert Compatibility issue with LDAPS for Outlook Clients
> -----------------------------------------------------------
>
> Key: DIRSERVER-1164
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1164
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: ldap
> Affects Versions: 1.5.2
> Reporter: Steve
> Assignee: Kiran Ayyagari
> Fix For: 2.0.0-RC1
>
>
> Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation.
> The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using
> the DNS name - outlook will simply refuse the connection even if the cert itself is trusted.
> The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS -
> the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither
> trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems.
> The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate.
> Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients.
> This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites.
> Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far
> for modifying the SSL key is programatically this way :
> EntryOperationContext adminEntry = new EntryOperationContext(
> directoryService.getRegistries(), PartitionNexus.getAdminName());
> if (directoryService.getPartitionNexus().hasEntry(adminEntry)) {
>
> KeyStore store = // load some store from p12 for example
> KeyPair keyPair = // load some keypair from store
> Attributes entry = new BasicAttributes();
> PrivateKey privateKey = keyPair.getPrivate();
> entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey
> .getAlgorithm());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded());
> entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey
> .getFormat());
> PublicKey publicKey = keyPair.getPublic();
> entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded());
> entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey
> .getFormat());
> Certificate cert = store.getCertificate(alias);
> entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded());
> List<Modification> items = ModifyOperationContext.createModItems(
> ServerEntryUtils.toServerEntry(entry, PartitionNexus
> .getAdminName(), directoryService.getRegistries()),
> ModificationOperation.REPLACE_ATTRIBUTE);
> directoryService.getPartitionNexus().modify(
> new ModifyOperationContext(
> directoryService.getRegistries(), PartitionNexus
> .getAdminName(), items));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.