[ADS & SSL] A sum_up

[Emmanuel Lecharny <el...@gmail.com>]

So the old configuration (kindof) has been restored. One can now either 
use the automatic system (ie, teh certificate is generated by the server 
and stored into the uid=admin,ou=system entry), or use an external keystore.

All this make me think we should be able to store certificates into the 
server and replace the one we have stored into uid=admin, ou=system.

i'm a bit tired tonite to check this possibility, so please feel free to 
experiment.

The doco have been updated 
(http://cwiki.apache.org/confluence/display/DIRxSRVx11/3.3.+How+to+enable+SSL), 
but as the code modifciation has been done in 1.5.5, it won't be 
available before at least 2 weeks.

Maybe some additional paragraph on top of this page should gives some 
instruction for the current 1.5.4 version... But I'm too lazzy tonite to 
add it (all in all, it's just a matter of copy/pasting the paragraph 
about auto-generated certificate down in the page).

I would appreciate if we can structurate a thread on the ML about what's 
good, what's wrong with the current ( ie 1.5.5) SSL/TLS handling and see 
what we should add into Studio or as a CL tool in order to deliver  a 
better service.

Also, as we have built a directory, it would make sense to store more 
than one certificate, and to transform this directory in a shared 
Keystore. I'd like to hear about any suggestion in this area.

As I already stated, i'm not a security specialist, so excuse my 
ignorance... I'm willing to learn, but I don't have a lot of time, and I 
find it more convenient to read the great page Stefan Zörner wrote 
instead of diving in an ocean of documentation and books. And I must say 
this page helped me a *lot* when I jumped to the code this afternoon to 
restore the previous behavior. So feel free to express your needs, with 
all the extra explanation I need to understand them :)

Thanks !

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org