Stefan,
thank you for pointing this out.
BTW: I just found out that I still have 1.5.4 ;-(
BTW2: I personally do not suggest storing the certificate data within
the LDAP directory itself, although there are fields available.
If you have a certificate used for "ssl.xyz.com", used for web, ldap and
so on, compromising the LDAP account or
ApacheDS through LDAP protocol might reveal the private key - or am I
wrong on this?
I know that more and more directories start storing PKI data within the
storage engine (Microsoft ADS does this too),
but somehow I don't feel comfortable with this ...
BTW3: Is there a way to force StartTLS an LDAP connection using port 389
via the ApacheDS configuration?
That's why I use LDAPS, which does not support plain text connections
AFAIK. For LDAP, I don't feel in the position to control that
as the client use StartTLS or not ...
Thank you and sorry for consufing on the versions of ApacheDS ...
Beat
On 06.01.2010 13:28 PM, Stefan Seelmann wrote:
Hi Matthias,
Matthias Cramer wrote:
As it looks like, the starttls extension does not honor the keystore
configured in the ldapServer config.
Yes, you are right. I just checked the source code and the configured
keystore in server.xml isn't used for StartTLS extended operation :-/
You could find the certificate and key that is use in the Admin Entry
(uid=admin,ou=system):
dn: uid=admin,ou=system
keyAlgorithm: RSA
privateKey:: ...
privateKeyFormat: PKCS#8
publicKey:: ...
publicKeyFormat: X.509
userCertificate:: ...
...
What you need to do is to extract the private key, public key and
certificate from your keystore and replace the attributes privateKey,
publicKey and userCertificate with those guys. You could use Portacle
and OpenSSL to extract those information. If you need further help
don't hesitate to ask.
Not very user friendly right now...
Kind Regards,
Stefan
