I thought I read somewhere that apacheds supports SSL (in the ldap listener)
with Java 5, but I can't find any docs. How is this setup?

Thanks
Marc

[ Post a follow-up to this message ]

Id like to know too. I had thought it wasn't available.

Nick

On 9/22/05, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:[vbc
ol=seagreen]
> I thought I read somewhere that apacheds supports SSL (in the ldap listen=[/vbcol]
er)
> with Java 5, but I can't find any docs.  How is this setup?
>
>  Thanks
>  Marc
>

[ Post a follow-up to this message ]

There's no SSL support for ApacheDS-server yet. We have to improve MINA to
support SASL first.

Trustin

2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>
> I thought I read somewhere that apacheds supports SSL (in the ldap
> listener) with Java 5, but I can't find any docs. How is this setup?
>
> Thanks
> Marc
>



--
what we call human nature is actually human habit
--
http://gleamynode.net/

[ Post a follow-up to this message ]

I thought SASL is required for LDAP to authenticate user in a secure way and
LDAPS works with SASL only. Am I misunderstanding? Let me know. I'm a novice
in LDAP. 

Trustin

2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>
> I'm not sure I understand why SASL support is required to support SSL.
> Isn't SASL and application level protocol where as SSL is at lower level?
>
> Marc
>
> On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<https:/
/mail.google.com/mai...ane.
org>>
> wrote: 
>
>
>


--
what we call human nature is actually human habit
--
http://gleamynode.net/

[ Post a follow-up to this message ]

It looks like MINA-111 adds support for SSL, but there are no docs on how to
enable it.

Marc

On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> There's no SSL support for ApacheDS-server yet. We have to improve MINA to
> support SASL first.
>
> Trustin
>
> 2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gman
e.org >: 
>
>
>
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/

[ Post a follow-up to this message ]

ApacheDS doesn't use MINA SSL support yet. There's a tutorial in wiki that
demonstrates the usage of SSLFilter and LoggingFilter.

http://wiki.apache.org/directory/MinaTutorial

Or you could simply browse the MINA Echo protocol server example:

http://directory.apache.org/subproj...ng_started.html

Trustin

2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
>
> It looks like MINA-111 adds support for SSL, but there are no docs on how
> to enable it.
>
> Marc
>
> On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<https:/
/mail.google.com/mai...ane.
org>>
> wrote: 
>
>
>


--
what we call human nature is actually human habit
--
http://gleamynode.net/

[ Post a follow-up to this message ]

Marc Boorshtein wrote:

> It looks like MINA-111 adds support for SSL, but there are no docs on
> how to enable it.

We use SSL with ApacheDS inside the NT4 LDAP server
we ship with Fedora Directory Server. The source is open
(from memory we added one or two minor things to support
easy cert configuration). The ApacheDS/Mina code has probably
changed quite a bit since then though.

[ Post a follow-up to this message ]

Hi Trustin!

> I thought SASL is required for LDAP to authenticate user in a secure way
and LDAPS works with SASL only.  Am I
> misunderstanding?  Let me know.  I'm a novice in LDAP. 

As far as I know, LDAPS is comparable to HTTPS. It just adds a layer
between LDAP and TCP/IP. Especially It has nothing to do with SASL.
Normally, you have two different ports an LDAP server is listening on: 389
for LDAP unencrypted, and 636 for LDAP over SSL/TLS (like 80/443 with
HTTP). Using LDAPS it is possible to to use a simple bind (with pwd in
clear) within SSL/TLS, therefore it is encrypted nevertheless. Using SASL
(e.g. DIGEST-MD5) is another option for a secure authentication. A third
one would be using an anonymous bind, using StartTLS (extended operation)
and after successfully establishing TLS on the same connection a rebind
with credentials.

I hope this helps (and is right as well ;-)
Stefan

[ Post a follow-up to this message ]

Trustin Lee wrote:

> I thought SASL is required for LDAP to authenticate user in a secure
> way and LDAPS works with SASL only.  Am I misunderstanding?  Let me
> know.  I'm a novice in LDAP. 
>
Nope, SASL and SSL are orthogonal (well, nearly).
If (and only if) you want to perform cert-based authentication in
a standard way, then you need to support the SASL-EXTERNAL
mechanism. But almost nobody needs this. Basic SSL does
not depend on SASL (and in fact SASL-EXTERNAL doesn't
really depend on SASL either ;)

[ Post a follow-up to this message ]

Well, it depends on your needs. If you are going to use public key
authentication, then yes you would need SASL. However if all you want is
transport level security then you only need to enable SSL (with a key&cert).
.
This way users are still authenticated using simple binds but the
communications are encrypted.

Marc

On 9/22/05, Trustin Lee <trustin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> I thought SASL is required for LDAP to authenticate user in a secure way
> and LDAPS works with SASL only. Am I misunderstanding? Let me know. I'm a
> novice in LDAP. 
>
> Trustin
>
> 2005/9/22, Marc Boorshtein <mboorshtein-Re5JQEeQqe8AvxtiuMwx3w@public.gman
e.org>: 
>
>
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>

[ Post a follow-up to this message ]