Summary: | LDAPTrustedCA inside VirtualHost | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | giuliano carlini <stuff-1-apache> |
Component: | mod_ldap | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | CLOSED FIXED | ||
Severity: | normal | ||
Priority: | P3 | ||
Version: | 2.0.48 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
giuliano carlini
2004-01-24 00:50:54 UTC
At the moment, the LDAPTrustedCA directive is only valid in the global context. OpenLDAP supports setting the CA certs per connection, but I am not sure whether the Netware, Microsoft or Netscape SDKs do. This won't be practical until more info can be found on the other SDKs. Comment from dev@httpd.apache.org: Brad Nicholes wrote: > This is something that I have been wanting to do for sometime but > haven't given it much thought until now. I talked to some of our Novell > LDAP engineers to get a better perspective on this. According to them, > per-session certificates will not work in Novell LDAP and they also > believe that it doesn't work for Netscape or Microsoft either. They > also had some concerns about OpenLDAP as well and although per-session > certificates appear to be supported, they weren't sure how well it > actually worked. > Just looking at the code in the util_ldap_post_config() routine and > how each of them set up the certificates, I wouldn't expect Netscape, > Novell or Microsoft SDK's to support per-session certificates. The > Netscape SDK and the Novell SDK use the same function to initialize the > SSL libraries, but even though the current util_ldap code for Novell > isn't written this way, the Novell SDK allows the user to configure a > list of certificates rather than a single certificate by calling > ldapssl_add_trusted_cert(). The Netscape SDK probably allows for the > same thing through their CERT7 database file which is required. The > Microsoft SDK appears to pull its certificate from the registry so I > have no idea if it even allows for multiple certificates. All of these > methods appear to be global rather than per-session. > My feeling is that about the best we could do is to allow the > LDAPTrustedCA and LDAPTrustedCAType directives to be callable from > within a virtualhost configurtion and keep a list of certificates that > can then be passed to the LDAP libraries during the post_config. But > this would really only make sense for OpenLDAP and Novell. Since > Netscape requires a CERT7 database file, it wouldn't know how to handle > multiple files and these directives are NOOPs for Microsoft. Then it > might lead the administrator to believe that certain virtual hosts are > using certain certificates when in fact that wouldn't be the case. All > virtual hosts would use all specified certificates. Resolved to keep these directives global in scope for now, commit a fix to v2.1.0-dev to throw an error if an attempt is made to place these directives inside virtualhosts. Due to limitations in the LDAP libraries, CA cert settings are server wide. v2.1.0-dev and v2.0.50 will throw an error if an attempt is made to define these directives inside a virtualhost. |