You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lecharny <el...@gmail.com> on 2008/12/18 23:57:23 UTC
[ADS & SSL] A sum_up
So the old configuration (kindof) has been restored. One can now either
use the automatic system (ie, teh certificate is generated by the server
and stored into the uid=admin,ou=system entry), or use an external keystore.
All this make me think we should be able to store certificates into the
server and replace the one we have stored into uid=admin, ou=system.
i'm a bit tired tonite to check this possibility, so please feel free to
experiment.
The doco have been updated
(http://cwiki.apache.org/confluence/display/DIRxSRVx11/3.3.+How+to+enable+SSL),
but as the code modifciation has been done in 1.5.5, it won't be
available before at least 2 weeks.
Maybe some additional paragraph on top of this page should gives some
instruction for the current 1.5.4 version... But I'm too lazzy tonite to
add it (all in all, it's just a matter of copy/pasting the paragraph
about auto-generated certificate down in the page).
I would appreciate if we can structurate a thread on the ML about what's
good, what's wrong with the current ( ie 1.5.5) SSL/TLS handling and see
what we should add into Studio or as a CL tool in order to deliver a
better service.
Also, as we have built a directory, it would make sense to store more
than one certificate, and to transform this directory in a shared
Keystore. I'd like to hear about any suggestion in this area.
As I already stated, i'm not a security specialist, so excuse my
ignorance... I'm willing to learn, but I don't have a lot of time, and I
find it more convenient to read the great page Stefan Zörner wrote
instead of diving in an ocean of documentation and books. And I must say
this page helped me a *lot* when I jumped to the code this afternoon to
restore the previous behavior. So feel free to express your needs, with
all the extra explanation I need to understand them :)
Thanks !
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org