[jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer
[ https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16861066#comment-16861066 ] Rashid Mahmood commented on DIRSERVER-1857: --- We are facing similar problem where we want to setup LdapServer with Mutual SSL Authentication. The issue was reported in 2013 and till yet not fixed. we are using 2.0.0.AM25 version. > Allow registration of an LdapsInitializer at the LdapServer > --- > > Key: DIRSERVER-1857 > URL: https://issues.apache.org/jira/browse/DIRSERVER-1857 > Project: Directory ApacheDS > Issue Type: Improvement >Affects Versions: 2.0.0-M12 >Reporter: Achim Willems >Priority: Major > > Due to a BSI directive we need mutual authentication for SSL/TLS connections. > BSI (Bundesamt für Sicherheit in der Informationstechnik) is a german > governmental organization. This means, that we cannot ignore this directive. > The current implementation of org.apache.directory.server.ldap.LdapServer > uses the static method > org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to > initialize the SSL communication. > It would be helpful to have an LdapsInitializer interface with a default > implementation (i.e. the current implementation is the default) and the > possibility to register this interface at the LdapServer. > We then could implement our own version of the initializer to establish the > necessary behaviour. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer
[ https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13683235#comment-13683235 ] Emmanuel Lecharny commented on DIRSERVER-1857: -- You are absolutely right. The fact that we initialize the SSLContext with a NoVerificationTrustManager is bad. We will see what we can do to improve this situation, but I think it's just a matter of adding an accessor in the LdapServer to get back the configured TrustManager. Allow registration of an LdapsInitializer at the LdapServer --- Key: DIRSERVER-1857 URL: https://issues.apache.org/jira/browse/DIRSERVER-1857 Project: Directory ApacheDS Issue Type: Improvement Affects Versions: 2.0.0-M12 Reporter: Achim Willems Due to a BSI directive we need mutual authentication for SSL/TLS connections. BSI (Bundesamt für Sicherheit in der Informationstechnik) is a german governmental organization. This means, that we cannot ignore this directive. The current implementation of org.apache.directory.server.ldap.LdapServer uses the static method org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to initialize the SSL communication. It would be helpful to have an LdapsInitializer interface with a default implementation (i.e. the current implementation is the default) and the possibility to register this interface at the LdapServer. We then could implement our own version of the initializer to establish the necessary behaviour. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer
[ https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13683295#comment-13683295 ] Achim Willems commented on DIRSERVER-1857: -- I think it's not only a matter of setting the TrustManger. I'm not very familiar with Apache Mina, but isn't it also necessary to call setNeedClientAuth(true) on the sslFilter? Another reason why it might be useful to use an interface to set up the SSL connection is, that one would be more flexible according to the type of key- and trust stores. The current implementation allows only file key stores, which are not always applicable. In our company for example, we often have to use hardware security modules which need special implementations of key and trust stores. Allow registration of an LdapsInitializer at the LdapServer --- Key: DIRSERVER-1857 URL: https://issues.apache.org/jira/browse/DIRSERVER-1857 Project: Directory ApacheDS Issue Type: Improvement Affects Versions: 2.0.0-M12 Reporter: Achim Willems Due to a BSI directive we need mutual authentication for SSL/TLS connections. BSI (Bundesamt für Sicherheit in der Informationstechnik) is a german governmental organization. This means, that we cannot ignore this directive. The current implementation of org.apache.directory.server.ldap.LdapServer uses the static method org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to initialize the SSL communication. It would be helpful to have an LdapsInitializer interface with a default implementation (i.e. the current implementation is the default) and the possibility to register this interface at the LdapServer. We then could implement our own version of the initializer to establish the necessary behaviour. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer
[ https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13683346#comment-13683346 ] Kiran Ayyagari commented on DIRSERVER-1857: --- Incidentally, I have started working on some code to add this support a few weeks ago but haven't finished it due to other priorities. I will try to take another shot as soon as I get some time. Allow registration of an LdapsInitializer at the LdapServer --- Key: DIRSERVER-1857 URL: https://issues.apache.org/jira/browse/DIRSERVER-1857 Project: Directory ApacheDS Issue Type: Improvement Affects Versions: 2.0.0-M12 Reporter: Achim Willems Due to a BSI directive we need mutual authentication for SSL/TLS connections. BSI (Bundesamt für Sicherheit in der Informationstechnik) is a german governmental organization. This means, that we cannot ignore this directive. The current implementation of org.apache.directory.server.ldap.LdapServer uses the static method org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to initialize the SSL communication. It would be helpful to have an LdapsInitializer interface with a default implementation (i.e. the current implementation is the default) and the possibility to register this interface at the LdapServer. We then could implement our own version of the initializer to establish the necessary behaviour. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer
[ https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13683347#comment-13683347 ] Emmanuel Lecharny commented on DIRSERVER-1857: -- That's good, Kiran. Yes, Achim, I probably overlooked the task a bit, but basically, it seems to be quite easy to do. I suspect we will need to test this feature seriously too, which will most certainly cost more time than writing the code... Allow registration of an LdapsInitializer at the LdapServer --- Key: DIRSERVER-1857 URL: https://issues.apache.org/jira/browse/DIRSERVER-1857 Project: Directory ApacheDS Issue Type: Improvement Affects Versions: 2.0.0-M12 Reporter: Achim Willems Due to a BSI directive we need mutual authentication for SSL/TLS connections. BSI (Bundesamt für Sicherheit in der Informationstechnik) is a german governmental organization. This means, that we cannot ignore this directive. The current implementation of org.apache.directory.server.ldap.LdapServer uses the static method org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to initialize the SSL communication. It would be helpful to have an LdapsInitializer interface with a default implementation (i.e. the current implementation is the default) and the possibility to register this interface at the LdapServer. We then could implement our own version of the initializer to establish the necessary behaviour. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira