Nelson Bolyard wrote: > Rich Megginson wrote, On 2008-09-26 13:17: >> Nelson Bolyard wrote: > >>> http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/directory/java-sdk/ldapjdk/netscape/ldap/factory/JSSSocketFactory.java&rev=1.3&mark=146#129 > >>> So, based on the above observations, I conclude that this Java LDAP SDK >>> has no support for SSL client authentication with certificates. >>> >>> Rich, Do you concur with that conclusion? >> The Cert System team suggests otherwise. They claim to be using >> ldapjdk/jss with client cert auth. As you probably know, the cert >> system is now open source. >> http://pki.fedoraproject.org/wiki/PKI_Main_Page >> >> Here is the file that implements ldap client cert auth: >> https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java > > Thanks, Rich, > > After getting past that self-signed cert :( I found that the cited file > is actually a REPLACEMENT class for the ldapjdk's JSSSocketFactory class. > I gather that by replacing this one small class from ldapjdk, the rest of > ldapjdk is able to do SSL with client auth. > > I'll bet others have done something similar, or have modified ldapjdk's > JSSSocketFactory class for their own purposes. > > This leads to a question. If I produced a modification to the ldapjdk's > JSSSocketFactory class that gave it the missing client auth features, > who would act as the module owner of that module, and review and approve > (or disapprove :) the change?
The ldap c sdk maintainers are the de facto ldap java sdk maintainers too. I think between the Mark, Anton, Nathan, and myself we could reasonably review the code and commit it. We certainly welcome any patches you could send our way. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
