пт, 12 июн. 2020 г. в 17:14, James Stocks <jamessto...@codeweavers.net>:
>
> We are attempting to use mod_ldap and mod_authnz_ldap to secure our apache2 
> web server.  We are using the Debian 10 Apache2 package, version 2.4.38.  Our 
> authentication provider is G-Suite, the LDAP endpoint is ldap.google.com.
>
> Apache connects to ldap.google.com, however it does not appear to 
> successfully negotiate a TLS connection.  As a workaround, we have set up 
> stunnel4 to handle the TLS session and configured Apache to use stunnel.  
> Apache is able to successfully authenticate using plain LDAP through the TLS 
> tunnel.  We have also successfully connected to the LDAP endpoint using 
> ldapsearch.
>
[...]
>
> Can anyone tell me whether SNI support is available in mod_ldap and if so how 
> do I activate it?
>

Just sharing a few pointers that I found:

1. Documentation for mod_ldap says that "SSL/TLS support is dependent
on which LDAP toolkit has been linked to APR. As of this writing,
APR-util supports: ..." and lists 5 different implementations.

http://httpd.apache.org/docs/2.4/mod/mod_ldap.html

2. Assuming that the implementation that you are dealing with is
OpenLDAP, a quick search finds the following item in their Bugzilla
(and on their mailing list):

https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html
https://bugs.openldap.org/show_bug.cgi?id=9176
"(ITS#9176) libldap support for TLSv1.3 Encrypted SNI"

It was implemented a month ago, but apparently it is targeted for the
text major version (2.5.0) and is not part of the current 2.4.50
release of OpenLDAP.

https://git.openldap.org/openldap/openldap/-/commit/5c0efb9ce83db383631ce79e8f246d73c33b9ab3
https://git.openldap.org/openldap/openldap/-/commit/e96f90e21229f9d83129db0da017e0fe5a0a27c8

Thus I guess that the answer to your question is "not yet".

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to