Details
-
Improvement
-
Resolution: Duplicate
-
Minor
-
None
-
1.1 M3
-
None
-
patch ldap ssl
-
Description
This patch adds support for SSL connections to the ldap server. To activate the SSL layer, I added a new configuration parameter in xwiki.cfg (xwiki.authentication.ldap.ssl) which has to be set to 1. Of course the ldap port has to be changed too (to 636).
In order for the SSL connection to be established, the CA certificate which delivered the SSL certificate of the ldap server must be added to the trust store of the JSSE extension.
>From the Sun JSSE documentation:
The search order for the locating the trust store is:
1) <java-home>/lib/security/jssecacerts, then
2) <java-home>/lib/security/cacerts
If the file jssecacerts exists, then cacerts is not consulted.
So in order to make it work you have to create a trust store named jssecacerts with the following command and place it in the suitable directory of the JRE or JDK used by your container:
keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts
(answer yes when asked if you want to trust the certificate)
I read on the web the default password for cacerts is 'changeit' so I used that, I didn't try yet with another password for the trust store.
I believe if the SSL certificate of the ldap server is self signed you need to import it instead of the CA but I did not try.
The patch makes use of com.sun.net.ssl.internal.ssl.Provider as the hard coded security provider, it should maybe be put as a parameter for people not running Sun JVMs.
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-