Hi, Scotty
> Now i am concerned in authenticating OpenXPKI with LDAP over TLS/SSL.
> How can i enable it and what changes will be required ?
Replace
<use_tls>false</use_tls>
<capath>no</capath>
in auth.xml with
<use_tls>true_tls</use_tls>
<capath>PUT_HERE_YOUR_PATH_TO_CA_CERTIFICATES</capath>
'capath' parameter will be used in Net::LDAP start_tls method as
described in Net::LDAP manual. You need to prepaire certificates
and store them in files having some special names (hashes).
The other approach is using ssl:
install Net::LDAPS perl module and
set use_tls parameter to 'true_ssl':
<use_tls>true_ssl</use_tls>
<capath>PUT_HERE_YOUR_PATH_TO_CA_CERTIFICATES</capath>
In this case you should also check that you specify the proper
port number in auth.xml for SSL connection (usually it is 636 instead of 389).
In both cases your ldap server and client must be configured properly
to be able to support TLS/SSL connections. Takes time...
Actually I have rather poor experience on the point. I have just
refactored the module written by Michael Bell and wrote some tests for it.
Beware security holes. LDAP can easily skip TLS in the case of some
trouble and switch itself to usual bind. Proper LDAP configuration
is a really BIG thing here.
Best Regards,
Peter
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
