Emmanuel Dreyfus wrote:
Michael Strödermichael@stroeder.com wrote:
Yes. However in theory the web app could run within a custom HTTP server and intercept the SSL/TLS handshake.
In fact I thought a bit more about it and I do not think it can work: if the HTTP server intercepts the SSL handshake and proxy it to slapd, then the SSL connexion will be between the web browser and slapd. The HTTP server will not be able to handle the request.
In fact we would need a double SSL handshake: one with the HTTP server and another one with slapd, proxyied by the HTTP server. I am not even sure it is possible.
Yes, now you see why the steps here
http://www.openldap.org/lists/openldap-technical/200901/msg00037.html
are necessary. You need secure handshakes between all three parties, and secure credentials that all three parties can trust.