On Tue, October 24, 2006 5:40 am, Eric Covener wrote: > Is anyone familiar wth the state of LDAPTrustedClientCert directive in > trunk and 2.2.x? > > util_ldap.c:254 > Defined as RSRC_CONF, manual text and examples says directory/location > container > > util_ldap.c:1635 > When the directive is used it results in an entry that's added to the > same array as the LDAPTrustedGlobalCert? > > util_ldap.c:271 > Connection-time checks in util_ldap look at an array that isn't filled > out by the directive > > It seems like this is directive should be relevant, but maybe not so > important, to using the openldap SDK (assuming most people will have a > bundle of CAs they trust, don't connect to many LDAP servers, and > don't require a client cert) > > Is there some SDK where LDAPTrustedClientCert in present form somehow > works?
Welcome to the world of LDAP SDKs, where each LDAP toolkit went out of it's way to ensure that it's custom client and CA certificate handling format was as different as humanly possible from each of the other LDAP SDKs. Both CA and client certificates are set globally server wide using the LDAPTrustedGlobalCert directive. Client certificates can be further set per connection inside a virtual host or directory. These client certificates are set in addition to, and not instead of the certificates set globally above. This is why the client cert array is added to the global array inside a virtual host and/or directory. To get this to work, follow the instructions carefully for the LDAP SDK you are using at http://httpd.apache.org/docs/trunk/mod/mod_ldap.html#settingcerts. For example, if you are using OpenLDAP, you need to set you CA certificates using LDAPTrustedGlobalCert, and set your client certificates on a per connection basis inside a directory and/or virtual host container using LDAPTrustedClientCert. If you remain stuck, increase the debug level on the server to "debug", and read carefully the debug messages that are logged by the LDAP modules. The debug logging is very chatty in an attempt to explain exactly what the module is trying to do, and hopefully why it's failing should it not work. Regards, Graham --
