Hi, I need information on how to configure OpenLDAP server in the slapd.conf to look for certificates from windows certificate store? Currently i am using certificates from file in a path.
Waiting for your inputs.
Regards, Pramod
On Fri, 2 Aug 2013, pramod kulkarni wrote:
Hi,I need information on how to configure OpenLDAP server in the slapd.conf to look for certificates from windows certificate store? Currently i am using certificates from file in a path.
Waiting for your inputs.
In libraries/libldap you'll find
tls_g.c tls_m.c tls_o.c
which are for GnuTLS, MozNSS, and OpenSSL respectively. I'd imagine that the Right Thing would be to make a new file here, that utilizes the Windows crypto APIs (therefore accessing the Windows certificate stores).
If this is something you might oversee, patches are welcomed through the ITS: http://www.openldap.org/its website. Please read http://www.openldap.org/devel/contributing.html first.
Aaron Richton wrote:
On Fri, 2 Aug 2013, pramod kulkarni wrote:
Hi,I need information on how to configure OpenLDAP server in the slapd.conf to look for certificates from windows certificate store? Currently i am using certificates from file in a path.
Waiting for your inputs.
In libraries/libldap you'll find
tls_g.c tls_m.c tls_o.c
which are for GnuTLS, MozNSS, and OpenSSL respectively. I'd imagine that the Right Thing would be to make a new file here, that utilizes the Windows crypto APIs (therefore accessing the Windows certificate stores).
You're talking about implementing a wrapper around Windows' schannel DLL which in turn uses CAPI key stores.
Another also rather hypothetical approach: I vaguely remember that someone wrote a PKCS#11 provider for accessing CAPI keystore which could be used in libnss and therefore in OpenLDAP (tls_m.c). It would be a lot of work to get that going - something for adventurers with lots of spare time. ;-}
Ciao, Michael.
Thanks for the reply,
How to replace the file based access in OpenLDAP with windows certificate store access. we have the functionality to access the windows certificate store but how to integrate with OpenLDAP ?
Regards, Pramod
On Fri, Aug 2, 2013 at 10:57 PM, Michael Ströder michael@stroeder.comwrote:
Aaron Richton wrote:
On Fri, 2 Aug 2013, pramod kulkarni wrote:
Hi,I need information on how to configure OpenLDAP server in the
slapd.conf
to look for certificates from windows certificate store? Currently i am using certificates from file in a path.
Waiting for your inputs.
In libraries/libldap you'll find
tls_g.c tls_m.c tls_o.c
which are for GnuTLS, MozNSS, and OpenSSL respectively. I'd imagine that
the
Right Thing would be to make a new file here, that utilizes the Windows
crypto
APIs (therefore accessing the Windows certificate stores).
You're talking about implementing a wrapper around Windows' schannel DLL which in turn uses CAPI key stores.
Another also rather hypothetical approach: I vaguely remember that someone wrote a PKCS#11 provider for accessing CAPI keystore which could be used in libnss and therefore in OpenLDAP (tls_m.c). It would be a lot of work to get that going - something for adventurers with lots of spare time. ;-}
Ciao, Michael.
Hi,
On Mon, 5 Aug 2013, pramod kulkarni wrote:
Thanks for the reply,
How to replace the file based access in OpenLDAP with windows certificate store access. we have the functionality to access the windows certificate store but how to integrate with OpenLDAP ?
lets try it in other words. There is no such functionality currently in openldap currently.
If you want it you need to develop it.
Greetings Christian
Regards, Pramod
On Fri, Aug 2, 2013 at 10:57 PM, Michael Ströder michael@stroeder.comwrote:
Aaron Richton wrote:
On Fri, 2 Aug 2013, pramod kulkarni wrote:
Hi,I need information on how to configure OpenLDAP server in the
slapd.conf
to look for certificates from windows certificate store? Currently i am using certificates from file in a path.
Waiting for your inputs.
In libraries/libldap you'll find
tls_g.c tls_m.c tls_o.c
which are for GnuTLS, MozNSS, and OpenSSL respectively. I'd imagine that
the
Right Thing would be to make a new file here, that utilizes the Windows
crypto
APIs (therefore accessing the Windows certificate stores).
You're talking about implementing a wrapper around Windows' schannel DLL which in turn uses CAPI key stores.
Another also rather hypothetical approach: I vaguely remember that someone wrote a PKCS#11 provider for accessing CAPI keystore which could be used in libnss and therefore in OpenLDAP (tls_m.c). It would be a lot of work to get that going - something for adventurers with lots of spare time. ;-}
Ciao, Michael.
openldap-technical@openldap.org
-
Aaron Richton -
Christian Kratzer -
Michael Ströder -
pramod kulkarni