Matthias,
what tool do you use to connect to Apache DS? I use Apache Directory
Studio, and AFAIR,
there was an error if the certificate does not match the FQDN.
However, connecting either using LDAPS on Port 636 or via StartTLS on
port 389, I don't get an error.
I don't konw of a way to display the certificate details of a connection
in the AD Studio though ...
Regards
Beat
On 06.01.2010 12:30 PM, Matthias Cramer wrote:
Hi Beat
I have it exactly that way. And ldaps works well. but starttls still
uses the old cert.
Ragrds
Matthias
Beat Burgener | NetSuccess GmbH wrote:
Matthias, no problem at all ...
Please refer to this post of Stefan as I had the same issue earlier this
year:
-------------------------------------------------------------------------------------
Further, I would like to use our self-signed and later "trusted" SSL
certificate for
the SSL communication, but the web page doc and the current config are
different:
From the web page:
<ldapService id="ldapsService"
enabled="true"
tcpPort="10636"
enableLdaps="true"
nbTcpThreads="8"
keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks"
certificatePassword="secret">
<directoryService>#directoryService</directoryService>
</ldapService>
From what I see in our config:
<ldapServer id="ldapServer"
allowAnonymousAccess="false"
saslHost="ldap.netsuccess.ch"
saslPrincipal="ldap/[email protected]"
searchBaseDn="ou=users,ou=system"
maxTimeLimit="15000"
maxSizeLimit="1000">
<transports>
<tcpTransport address="0.0.0.0" port="389" nbThreads="8"
backLog="50" enableSSL="false"/>
<tcpTransport address="0.0.0.0" port="636" enableSSL="true"/>
</transports>
<directoryService>#directoryService</directoryService>
</ldapServer>
This appears quiet different, as some of the attributes in the sample
config ended up in the<tcpTransport>
definition ... where should the keystore definition go?
Yes. this has been changed from 1.5.4 to 1.5.5. The right place should
be the 'ldapServer element':
<ldapServer id="ldapServer"
keystoreFile="..."
certificatePassword="secret"
allowAnonymousAccess="false"
saslHost="ldap.netsuccess.ch"
saslPrincipal="ldap/[email protected]"
searchBaseDn="ou=users,ou=system"
maxTimeLimit="15000"
maxSizeLimit="1000">
-------------------------------------------------------------------------------------
Best regards
Beat
On 06.01.2010 10:44 AM, Matthias Cramer wrote:
Hi Beat
I'm using 1.5.5
Sorry for not mentioning it.
Regards
Matthias
Beat Burgener | NetSuccess GmbH wrote:
Matthias
Which version of Apache DS do you use?
Beat
On 06.01.2010 10:32 AM, Matthias Cramer wrote:
Hi
I'm fairly new to Apache DS but managed to get all working what I like
till now. I've generated an new SSL Cert and configured it into
server.xml so that it works for normal SSL ldaps connections.
But when I do starttl still the default certificate that came with the
package get's used. How do I replace this one. I did not find anything
on the website and google was of no help too.
Any hint is appreciated.
Regards
Matthias
