[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about LDAP and SSL.

To: openldap-technical@openldap.org
Subject: Re: Question about LDAP and SSL.
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 8 Jul 2010 08:56:01 +0100
Cc: Bryan Boone <v_1bboon@yahoo.com>, Chris Jacobs <Chris.Jacobs@apollogrp.edu>
In-reply-to: <6C447584419BFE4E83D46E88F8131486323C26CE1A@EXCH07-05.apollogrp.edu>
References: <237220.24482.qm@web65501.mail.ac4.yahoo.com> <6C447584419BFE4E83D46E88F8131486323C26CE1A@EXCH07-05.apollogrp.edu>
User-agent: KMail/1.12.4 (Linux/2.6.31.13-desktop-1mnb; KDE/4.3.5; x86_64; ; )

On Wednesday, 7 July 2010 23:26:50 Chris Jacobs wrote:
> Bryan,
> 
> The method of completing "Does openldap provide a mechanism that will
>  accomplish the same thing (automatic client cert acceptance)?" is to have
>  a real cert authority issue the cert.

That is not the only method, and there may be circumstances where a commercial 
CA is not suitable.

>  They're pretty nice about it even,
>  at least if you give them money.
> 
> I /highly/ recommend you read up on SSL certs, differences between
>  self-signed and purchased, etc.

All root CA certs are self-signed, the OP wasn't (necessarily) proposing self-
signed certs. However, since he is not necessarily in control of the LDAP 
server configuration, his solution should cater to situations that may require 
the user of his solution to update the CA cert (e.g., commercial CA certificate 
rollover).

> Here's a hint: Self-Signed aren't trusted anywhere.  Most equipment,
>  browsers, etc, come with a list of trusted providers.

And, most good devices, browsers etc. allow you to update/add CA certificates.

Regards,
Buchan

References:
- Question about LDAP and SSL.
  - From: Bryan Boone <v_1bboon@yahoo.com>
- RE: Question about LDAP and SSL.
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: Re: Question about LDAP and SSL.
Next by Date: Repeated messages : op=0 do_bind: invalid dn (uid=,ou=...
Index(es):
- Chronological
- Thread