Enrique Rodriguez a écrit :
On 6/7/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
has someone tested SSL on trunks? While looking to configuration, I
saw that
there is a new ldapsConfiguration bean in the server.xml file, but
I'm afaid
that some ifnormations may be missing, like the ldapsCertificateFile.
Both LDAP and LDAPS are supported by the same bean, LdapConfiguration.
The reason that both LDAP and LDAPS share the same bean is that both
can use SSL.
If we focus on service, and not on protocol (if we consider SSL is a
protocol), then we should have only one configuration for LDAP.
I have updated the doco here :
http://cwiki.apache.org/confluence/display/DIRxSRVx11/Configuration+Parameters+Reference
with some notes and questions, and I would greatly appreciate if you can
improve what has been started here (I think that Christine started the
page, then completed it with your help).
I'm not done with it yet, but I see this page as the best soltuion to
exchange ideas.
The only difference is that with LDAP the SSL filter is
engaged only with StartTLS while with LDAPS, the SSL filter is engaged
"full time." Therefore, both protocol variants need the same config
parameters so I made them use the same bean. In order to engage SSL
"full time," there is a boolean called 'enableLdaps', which is false
by default.
I agree with the parameters : they will be shared. The only difference
is how they will be activated. But I guess that if you enable SSL, then
startTLS is disabled, if I don't get it wrong. It seems to me that this
SSL and StartTLS are like a switch, which can be set off and on : when
disabling SSL, then the user can enable StartTLS.
Or it may be a good idea to allow SSL and StartTLS to be active at the
same time. wdyt ?
I was prompted to do it this way because I have StartTLS working
locally. We have DIRSERVER-869 assigned to Alex to process grant
paperwork. If I get an ACK on committing StartTLS, I can do so pretty
quickly.
https://issues.apache.org/jira/browse/DIRSERVER-869
We need StartTLS, definitively. Now, I will say I'm a little bit
relunctant to include it in the server, until we have a clean place.
Hopefully, we are close. As the configuration has already moved a lot, I
would be tempted to include StartTLS too.
Let's wait a few more days so that we have a clear idea of what are the
impact on doco, and let's move on with StartTLS.
We need to decide if it is te be included in 1.5.1, but IMO, this will
be the way to go.
I will go back yo you by the end of this week, but I expect that other
peeps give their opinion (it's not all about me...)
Thanks,
Emmanuel
