Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-865

add support for LDAP over SSL (ldaps)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 1.1 M3
    • Fix Version/s: None
    • Labels:
      None
    • keywords:
      patch ldap ssl
    • Similar issues:

      Description

      This patch adds support for SSL connections to the ldap server. To activate the SSL layer, I added a new configuration parameter in xwiki.cfg (xwiki.authentication.ldap.ssl) which has to be set to 1. Of course the ldap port has to be changed too (to 636).

      In order for the SSL connection to be established, the CA certificate which delivered the SSL certificate of the ldap server must be added to the trust store of the JSSE extension.

      >From the Sun JSSE documentation:
      The search order for the locating the trust store is:

      1) <java-home>/lib/security/jssecacerts, then
      2) <java-home>/lib/security/cacerts

      If the file jssecacerts exists, then cacerts is not consulted.

      So in order to make it work you have to create a trust store named jssecacerts with the following command and place it in the suitable directory of the JRE or JDK used by your container:

      keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts

      (answer yes when asked if you want to trust the certificate)
      I read on the web the default password for cacerts is 'changeit' so I used that, I didn't try yet with another password for the trust store.

      I believe if the SSL certificate of the ldap server is self signed you need to import it instead of the CA but I did not try.

      The patch makes use of com.sun.net.ssl.internal.ssl.Provider as the hard coded security provider, it should maybe be put as a parameter for people not running Sun JVMs.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              phil Philippe Marzouk
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: