пт, 12 июн. 2020 г. в 17:14, James Stocks <jamessto...@codeweavers.net>: > > We are attempting to use mod_ldap and mod_authnz_ldap to secure our apache2 > web server. We are using the Debian 10 Apache2 package, version 2.4.38. Our > authentication provider is G-Suite, the LDAP endpoint is ldap.google.com. > > Apache connects to ldap.google.com, however it does not appear to > successfully negotiate a TLS connection. As a workaround, we have set up > stunnel4 to handle the TLS session and configured Apache to use stunnel. > Apache is able to successfully authenticate using plain LDAP through the TLS > tunnel. We have also successfully connected to the LDAP endpoint using > ldapsearch. > [...] > > Can anyone tell me whether SNI support is available in mod_ldap and if so how > do I activate it? >
Just sharing a few pointers that I found: 1. Documentation for mod_ldap says that "SSL/TLS support is dependent on which LDAP toolkit has been linked to APR. As of this writing, APR-util supports: ..." and lists 5 different implementations. http://httpd.apache.org/docs/2.4/mod/mod_ldap.html 2. Assuming that the implementation that you are dealing with is OpenLDAP, a quick search finds the following item in their Bugzilla (and on their mailing list): https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html https://bugs.openldap.org/show_bug.cgi?id=9176 "(ITS#9176) libldap support for TLSv1.3 Encrypted SNI" It was implemented a month ago, but apparently it is targeted for the text major version (2.5.0) and is not part of the current 2.4.50 release of OpenLDAP. https://git.openldap.org/openldap/openldap/-/commit/5c0efb9ce83db383631ce79e8f246d73c33b9ab3 https://git.openldap.org/openldap/openldap/-/commit/e96f90e21229f9d83129db0da017e0fe5a0a27c8 Thus I guess that the answer to your question is "not yet". Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
