Hi everyone. I am kinda a noob to OpenLDAP and SSL for that matter.
I am writting a web page that resides on a special piece of proprietary hardware (not a PC) that I need authentication for (running linux with apache server). I would like LDAP to be one of the authentication methods (this hardware will be a LDAP client) when a customer logs into the web page of my device. Of course I need this to support LDAP with SSL.
I went to the openldap website and found the directions to create and generated the SSL certs and installed them in openLDAP (3 total). There is the server cert and key, and then the client cert.
You know how when connecting to a https://%C2%A0website IE, or firefox will prompt you if you want to accept the SSL certificate (if the cert is not signed by a CA)? Does openldap provide a mechanism that will accomplish the same thing (automatic client cert acceptance)? Or will I need to provide a way on my hardware where the customer can manualy upload his/her client cert to the device?
Does that make sense?
thanks
Bryan,
The method of completing "Does openldap provide a mechanism that will accomplish the same thing (automatic client cert acceptance)?" is to have a real cert authority issue the cert. They're pretty nice about it even, at least if you give them money.
I /highly/ recommend you read up on SSL certs, differences between self-signed and purchased, etc.
Here's a hint: Self-Signed aren't trusted anywhere. Most equipment, browsers, etc, come with a list of trusted providers.
Spend a week on SSL/Certs - it'll be worth your time.
- chris
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Bryan Boone Sent: Wednesday, July 07, 2010 3:07 PM To: openldap-technical@openldap.org Subject: Question about LDAP and SSL.
Hi everyone. I am kinda a noob to OpenLDAP and SSL for that matter.
I am writting a web page that resides on a special piece of proprietary hardware (not a PC) that I need authentication for (running linux with apache server). I would like LDAP to be one of the authentication methods (this hardware will be a LDAP client) when a customer logs into the web page of my device. Of course I need this to support LDAP with SSL.
I went to the openldap website and found the directions to create and generated the SSL certs and installed them in openLDAP (3 total). There is the server cert and key, and then the client cert.
You know how when connecting to a https:// website IE, or firefox will prompt you if you want to accept the SSL certificate (if the cert is not signed by a CA)? Does openldap provide a mechanism that will accomplish the same thing (automatic client cert acceptance)? Or will I need to provide a way on my hardware where the customer can manualy upload his/her client cert to the device?
Does that make sense?
thanks
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Wednesday, 7 July 2010 23:26:50 Chris Jacobs wrote:
Bryan,
The method of completing "Does openldap provide a mechanism that will accomplish the same thing (automatic client cert acceptance)?" is to have a real cert authority issue the cert.
That is not the only method, and there may be circumstances where a commercial CA is not suitable.
They're pretty nice about it even, at least if you give them money.
I /highly/ recommend you read up on SSL certs, differences between self-signed and purchased, etc.
All root CA certs are self-signed, the OP wasn't (necessarily) proposing self- signed certs. However, since he is not necessarily in control of the LDAP server configuration, his solution should cater to situations that may require the user of his solution to update the CA cert (e.g., commercial CA certificate rollover).
Here's a hint: Self-Signed aren't trusted anywhere. Most equipment, browsers, etc, come with a list of trusted providers.
And, most good devices, browsers etc. allow you to update/add CA certificates.
Regards, Buchan
On Wednesday, 7 July 2010 23:06:40 Bryan Boone wrote:
Hi everyone. I am kinda a noob to OpenLDAP and SSL for that matter.
I am writting a web page that resides on a special piece of proprietary hardware (not a PC) that I need authentication for (running linux with apache server). I would like LDAP to be one of the authentication methods (this hardware will be a LDAP client) when a customer logs into the web page of my device. Of course I need this to support LDAP with SSL.
I went to the openldap website and found the directions to create and generated the SSL certs and installed them in openLDAP (3 total). There is the server cert and key, and then the client cert.
You know how when connecting to a https:// website IE, or firefox will prompt you if you want to accept the SSL certificate (if the cert is not signed by a CA)? Does openldap provide a mechanism that will accomplish the same thing (automatic client cert acceptance)?
No.
Or will I need to provide a way on my hardware where the customer can manualy upload his/her client cert to the device?
If you want SSL cert validation, you must either ship with the CA certs you want, or provide a means to upload a CA cert.
Regards, Buchan
openldap-technical@openldap.org
-
Bryan Boone -
Buchan Milne -
Chris Jacobs