You are viewing a plain text version of this content. The canonical link for it is here.

Posted to api@directory.apache.org by Michael Moorman <mi...@gmail.com> on 2013/11/15 19:59:12 UTC

X509 Certificate based authentication w/ssl

Hello all,

This is my first time posting to this list. I'd like to say thank you and
great job to the developers and testers responsible for creating the
directory API.

I would like know if X509 certificate based authentication with ssl is
possible to achieve with the latest version of the directory API. In other
systems, this is known as a "Strong" bind, or "Certificate Based Client
Authentication". In this mode, the server requests that the client send a
certificate to identify itself.  Here is a (very old) example from the
Netscape Java 4.0 SDK:
http://docs.oracle.com/cd/E19957-01/816-6402-10/ssl.htm#2847694

I have spent the last week going through the available documentation and
have been trying to experiment with various BindRequest and
ConnectionConfig options. The SSL connection is working, but I have not
been able to make any headway in certificate authentication between the
client and server.


If it is indeed possible to make a bind of this type, would someone mind
sharing an example? I would greatly appreciate it.

Thanks,

Mike M

Re: X509 Certificate based authentication w/ssl

Posted by Michael Moorman <mi...@gmail.com>.

Thanks Kiran! I'll check back again soon. I'd be happy to test it and
provide feedback when the time comes.

Mike M


On Sat, Nov 16, 2013 at 9:30 AM, Kiran Ayyagari <ka...@apache.org>wrote:

> On Sat, Nov 16, 2013 at 3:24 PM, Michael Moorman <
> michael.e.moorman@gmail.com> wrote:
>
> > I looked into it and it seems that someone has already requested this
> > feature in 2011: https://issues.apache.org/jira/browse/DIRSTUDIO-743
> >
> > ah great, I vaguely remembered that this existed, but I only searched in
> the DIRSERVER space
>
> > Is there any interest in enhancing the API to support client certificate
> > authentication? It seems like the server project will eventually
> implement
> > it.  I'd wager that there are many others like me out there who use the
> > directory API to connect to a non-Apache Directory LDAP servers - not by
> > choice, mind you :-)
> >
> > I was about to add this support last year while working on replication
> but
> was skipped
> due to other work
>
> Please ping me again if I don't complete this before end of December ;)
>
> > Thanks for the quick response,
> >
> > Mike M
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Re: X509 Certificate based authentication w/ssl

Posted by Kiran Ayyagari <ka...@apache.org>.

On Sat, Nov 16, 2013 at 3:24 PM, Michael Moorman <
michael.e.moorman@gmail.com> wrote:

> I looked into it and it seems that someone has already requested this
> feature in 2011: https://issues.apache.org/jira/browse/DIRSTUDIO-743
>
> ah great, I vaguely remembered that this existed, but I only searched in
the DIRSERVER space

> Is there any interest in enhancing the API to support client certificate
> authentication? It seems like the server project will eventually implement
> it.  I'd wager that there are many others like me out there who use the
> directory API to connect to a non-Apache Directory LDAP servers - not by
> choice, mind you :-)
>
> I was about to add this support last year while working on replication but
was skipped
due to other work

Please ping me again if I don't complete this before end of December ;)

> Thanks for the quick response,
>
> Mike M
>



-- 
Kiran Ayyagari
http://keydap.com

Re: X509 Certificate based authentication w/ssl

Posted by Kiran Ayyagari <ka...@apache.org>.

On Sat, Nov 16, 2013 at 4:51 PM, Daniel Fisher <df...@vt.edu> wrote:

> On Sat, Nov 16, 2013 at 9:24 AM, Michael Moorman <
> michael.e.moorman@gmail.com> wrote:
>
> > I looked into it and it seems that someone has already requested this
> > feature in 2011: https://issues.apache.org/jira/browse/DIRSTUDIO-743
> >
> > Is there any interest in enhancing the API to support client certificate
> > authentication? It seems like the server project will eventually
> implement
> > it.  I'd wager that there are many others like me out there who use the
> > directory API to connect to a non-Apache Directory LDAP servers - not by
> > choice, mind you :-)
> >
>
> If you're talking about TLS client authentication, the API supports this:
>
> http://directory.apache.org/api/gen-docs/latest/apidocs/org/apache/directory/ldap/client/api/LdapConnectionConfig.html#setKeyManagers(javax.net.ssl.KeyManager[])
>
> this only validates the server, but server needs a way to verify client's
certificate which
is not supported right now

> If you're referring to SASL external binds, there is an open issue for
> this:
> https://issues.apache.org/jira/browse/DIRAPI-105
>
> --Daniel Fisher
>



-- 
Kiran Ayyagari
http://keydap.com

Re: X509 Certificate based authentication w/ssl

Posted by Kiran Ayyagari <ka...@apache.org>.

On Sat, Nov 16, 2013 at 4:51 PM, Daniel Fisher <df...@vt.edu> wrote:

> On Sat, Nov 16, 2013 at 9:24 AM, Michael Moorman <
> michael.e.moorman@gmail.com> wrote:
>
> > I looked into it and it seems that someone has already requested this
> > feature in 2011: https://issues.apache.org/jira/browse/DIRSTUDIO-743
> >
> > Is there any interest in enhancing the API to support client certificate
> > authentication? It seems like the server project will eventually
> implement
> > it.  I'd wager that there are many others like me out there who use the
> > directory API to connect to a non-Apache Directory LDAP servers - not by
> > choice, mind you :-)
> >
>
> If you're talking about TLS client authentication, the API supports this:
>
> http://directory.apache.org/api/gen-docs/latest/apidocs/org/apache/directory/ldap/client/api/LdapConnectionConfig.html#setKeyManagers(javax.net.ssl.KeyManager[])
>
> this only validates the server, but server needs a way to verify client's
certificate which
is not supported right now

> If you're referring to SASL external binds, there is an open issue for
> this:
> https://issues.apache.org/jira/browse/DIRAPI-105
>
> --Daniel Fisher
>



-- 
Kiran Ayyagari
http://keydap.com

Re: X509 Certificate based authentication w/ssl

Posted by Daniel Fisher <df...@vt.edu>.

On Sat, Nov 16, 2013 at 9:24 AM, Michael Moorman <
michael.e.moorman@gmail.com> wrote:

> I looked into it and it seems that someone has already requested this
> feature in 2011: https://issues.apache.org/jira/browse/DIRSTUDIO-743
>
> Is there any interest in enhancing the API to support client certificate
> authentication? It seems like the server project will eventually implement
> it.  I'd wager that there are many others like me out there who use the
> directory API to connect to a non-Apache Directory LDAP servers - not by
> choice, mind you :-)
>

If you're talking about TLS client authentication, the API supports this:
http://directory.apache.org/api/gen-docs/latest/apidocs/org/apache/directory/ldap/client/api/LdapConnectionConfig.html#setKeyManagers(javax.net.ssl.KeyManager[])

If you're referring to SASL external binds, there is an open issue for this:
https://issues.apache.org/jira/browse/DIRAPI-105

--Daniel Fisher

Re: X509 Certificate based authentication w/ssl

Posted by Michael Moorman <mi...@gmail.com>.

I looked into it and it seems that someone has already requested this
feature in 2011: https://issues.apache.org/jira/browse/DIRSTUDIO-743

Is there any interest in enhancing the API to support client certificate
authentication? It seems like the server project will eventually implement
it.  I'd wager that there are many others like me out there who use the
directory API to connect to a non-Apache Directory LDAP servers - not by
choice, mind you :-)

Thanks for the quick response,

Mike M

Re: X509 Certificate based authentication w/ssl

Posted by Kiran Ayyagari <ka...@apache.org>.

On Sat, Nov 16, 2013 at 12:29 AM, Michael Moorman <
michael.e.moorman@gmail.com> wrote:

> Hello all,
>
> This is my first time posting to this list. I'd like to say thank you and
> great job to the developers and testers responsible for creating the
> directory API.
>
> I would like know if X509 certificate based authentication with ssl is
> possible to achieve with the latest version of the directory API. In other
> systems, this is known as a "Strong" bind, or "Certificate Based Client
> Authentication". In this mode, the server requests that the client send a
> certificate to identify itself.  Here is a (very old) example from the
> Netscape Java 4.0 SDK:
> http://docs.oracle.com/cd/E19957-01/816-6402-10/ssl.htm#2847694
>
> I have spent the last week going through the available documentation and
> have been trying to experiment with various BindRequest and
> ConnectionConfig options. The SSL connection is working, but I have not
> been able to make any headway in certificate authentication between the
> client and server.
>
>
> If it is indeed possible to make a bind of this type, would someone mind
> sharing an example? I would greatly appreciate it.
>
> this is very much possible, the only case is that it is not exposed in the
server
can you file a feature request in JIRA
https://issues.apache.org/jira/browse/DIRSERVER

> Thanks,
>
> Mike M
>



-- 
Kiran Ayyagari
http://keydap.com

Re: X509 Certificate based authentication w/ssl

Posted by Kiran Ayyagari <ka...@apache.org>.

On Sat, Nov 16, 2013 at 12:29 AM, Michael Moorman <
michael.e.moorman@gmail.com> wrote:

> Hello all,
>
> This is my first time posting to this list. I'd like to say thank you and
> great job to the developers and testers responsible for creating the
> directory API.
>
> I would like know if X509 certificate based authentication with ssl is
> possible to achieve with the latest version of the directory API. In other
> systems, this is known as a "Strong" bind, or "Certificate Based Client
> Authentication". In this mode, the server requests that the client send a
> certificate to identify itself.  Here is a (very old) example from the
> Netscape Java 4.0 SDK:
> http://docs.oracle.com/cd/E19957-01/816-6402-10/ssl.htm#2847694
>
> I have spent the last week going through the available documentation and
> have been trying to experiment with various BindRequest and
> ConnectionConfig options. The SSL connection is working, but I have not
> been able to make any headway in certificate authentication between the
> client and server.
>
>
> If it is indeed possible to make a bind of this type, would someone mind
> sharing an example? I would greatly appreciate it.
>
> this is very much possible, the only case is that it is not exposed in the
server
can you file a feature request in JIRA
https://issues.apache.org/jira/browse/DIRSERVER

> Thanks,
>
> Mike M
>



-- 
Kiran Ayyagari
http://keydap.com