On 10/24/06, Graham Leggett <[EMAIL PROTECTED]> wrote:
On Tue, October 24, 2006 5:40 am, Eric Covener wrote: > util_ldap.c:254 > Defined as RSRC_CONF, manual text and examples says directory/location > container
Both CA and client certificates are set globally server wide using the LDAPTrustedGlobalCert directive. Client certificates can be further set per connection inside a virtual host or directory.
These client certificates are set in addition to, and not instead of the certificates set globally above. This is why the client cert array is added to the global array inside a virtual host and/or directory.
Unless I'm confused LDAPTrustedClientCert isn't accepted in a directory context, despite the manual entry. When you add it to a vhost, it appears that it will be added (only ) to the global_certs array in the per-vhost module config -- but the global_certs that are actually used are the ones in the base server config. I verified with some simple trace in util_ldap that this is the case -- the only time adding the ClientCerts to the global_certs array works out is when they're in the base server config (which maks them effectively indistinguishable from LDAPTrustedGlobalCert, except we're pickier about what types of things will allow to be added) There doesn't appear to be any opportunity for the LDAPTrustedClientCert to do anything outside of the base server config. When we come back in on a per-connection basis we don't have the client_certs stashed away anywhere, and we don't check global_certs. -- Eric Covener [EMAIL PROTECTED]
