DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=26390>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=26390 LDAPTrustedCA inside VirtualHost ------- Additional Comments From [EMAIL PROTECTED] 2004-05-21 20:07 ------- Comment from [email protected]: Brad Nicholes wrote: > This is something that I have been wanting to do for sometime but > haven't given it much thought until now. I talked to some of our Novell > LDAP engineers to get a better perspective on this. According to them, > per-session certificates will not work in Novell LDAP and they also > believe that it doesn't work for Netscape or Microsoft either. They > also had some concerns about OpenLDAP as well and although per-session > certificates appear to be supported, they weren't sure how well it > actually worked. > Just looking at the code in the util_ldap_post_config() routine and > how each of them set up the certificates, I wouldn't expect Netscape, > Novell or Microsoft SDK's to support per-session certificates. The > Netscape SDK and the Novell SDK use the same function to initialize the > SSL libraries, but even though the current util_ldap code for Novell > isn't written this way, the Novell SDK allows the user to configure a > list of certificates rather than a single certificate by calling > ldapssl_add_trusted_cert(). The Netscape SDK probably allows for the > same thing through their CERT7 database file which is required. The > Microsoft SDK appears to pull its certificate from the registry so I > have no idea if it even allows for multiple certificates. All of these > methods appear to be global rather than per-session. > My feeling is that about the best we could do is to allow the > LDAPTrustedCA and LDAPTrustedCAType directives to be callable from > within a virtualhost configurtion and keep a list of certificates that > can then be passed to the LDAP libraries during the post_config. But > this would really only make sense for OpenLDAP and Novell. Since > Netscape requires a CERT7 database file, it wouldn't know how to handle > multiple files and these directives are NOOPs for Microsoft. Then it > might lead the administrator to believe that certain virtual hosts are > using certain certificates when in fact that wouldn't be the case. All > virtual hosts would use all specified certificates. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
