Hello, Am 14.01.2015 um 04:33 schrieb Olivier Nicole <[email protected]>:
> I would like to configure DSpace to authenticate against LDAP, but I > want to use encrypted ldaps. > > The certificate and CA I am using are self-signed, so where should I > configure these (CERT and CA) for DSpace to work? Hiltons answer contains the essential information I guess, but I feel it is not that obvious what exactly is important. The first answer is, well it depends on the server setup you use. There are many different SSL libraries out there and since last years big breaks in OpenSSL even more of them arise. Each server software has a default configuration that decides which library to use. Then, these default configurations might differ for the same server software depending on the (linux/BSD) distribution you run because of the policies of this particular distribution. Distribution policies might contain decisions particularly regarding the preferred SSL Library, because SSL is such an important building block for basic system security. So, find out which library you use first. Each library requires different steps to store ceritficates, searches for them in different path and support different storage formats. It seems that there is a standard way, just because OpenSSL is so widely used. But what seems to be a standard is actually only the OpenSSL way of doing the job. If you run tomcat or jetty behind apache, then apache is the place where to search. Well, this is true for port 443, but which port is LDAP using for secure communication? Maybe that tomcat (supposed this is your container) uses OpenLDAP for requesting authentication from your central LDAP Server. Then you have to find out which SSL Library OpenLDAP uses. Apache uses OpenSSL as default on many distributions. Tomcat uses the Java specific SSL implementation JSSE as default but can be configured to use OpenSSL instead. When I finally configured our server to use SSL for login (years too late actually) I had to learn a lot about SSL and I was surprised how little documentation there was. Culprit me, I did not document my solution as well. I run Tomcat without Apache in front of it and I decided to stay with JSSE because OpenSSL was seen as a bad solution then. JSSE is a rather basic implementation I guess, but is probably not under attack the way OpenSSL is currently. The official documentation for JSSE configuration is deceiving, particularly when it comes to creating the keystore. Note that I am not talking about communication between your Servlet container and the authenticating LDAP server though, but only about login to DSpace. If it turns out that JSSE via BIO in Tomcat is your way to go and you run into trouble with that, please ask and I will look up, who I solved the issues in my instance. Bye, Christian ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
