How to use Netscape style certificates [#1365754]

My organization's LDAP server wants me to always use a SSL connection to it[1] and I am provided with two files cert7.db and key3.db for that.

I found the section http://httpd.apache.org/docs/2.1/mod/mod_ldap.html#settingcerts which talks about those two files, but I am not sure how to tell the drupal ldap module to use those two certificates. As I am encountering LDAP stuff for the first time, I'm not very sure of the stuff, any help appreciated, specifically if the above link is the right one to follow, and if yes, where to put those directives and what values should I change there?

I run Xampp on Windows which has apache 2.2. Also, without using SSL I can successfully use the "test server" functionality in Drupal LDAP module's UI.

Thanks

[1] Instructions on my organization's website-

When an LDAP client connects to an LDAP server over SSL, the server identifies itself by sending its certificate to the client. The LDAP client will trust the server's certificate if it has a copy of the certificate issuer's or certificate authority's (CA's) certificate. For an SSL connection with the LDAP ED your client needs a copy of the server's CA certificate. In general the SDK you download should provide instructions on how to store the CA certificate.

Instructions for the Netscape SDK:
You will need a certificate database in the form of a cert7.db file containing the appropriate CA certificates and a key3.db file. For your convenience we have provided these files preloaded with our CA certificates. You can download the files by clicking the links and store them anywhere on your system. In the appropriate SDK call you will specify the path to these files.

Comments

Comment #1

johnbarclay commented 13 December 2011 at 06:07

LDAP in the drupal context works on the following layers:

ldap drupal module.
ldap php extension (http://us2.php.net/manual/en/book.ldap.php). This is the php extension that communicates with the ldap server.
open ldap. ldap php extension uses this to for its ldap client functionality. (http://www.openldap.org/).

Hence there are 3 layers of configuration and documentation spread all over the place.

- drupal module configuration (web interface)
- ldap extension configuration (php.ini)
- open ldap. (see http://www.openldap.org/doc/admin24/index.html). Here is the moodle docs on this: http://docs.moodle.org/22/en/LDAP_authentication#Using_LDAPS_.28LDAP_.2B.... Also see http://www.openldap.org/faq/data/cache/185.html

Your work with the certificates is all in the open ldap layer. So look to that documentation for help with certificates. Within the ldap drupal module configuration, the only change I can think of for ssl is to use ldaps://serveraddress.com instead of serveraddress.com

Comment #2

shaan7 commented 5 March 2012 at 06:36

Status:

Active

» Closed (works as designed)

Phew thanks to the links you posted, it was in fact in the openldap layer that I had to put my certs. Earlier I was trying to use XAMPP on windows with the Netscape style certificates for the server.

I got it working by getting a PEM server cert and then using LAMP on Ubuntu server and put the following line in /etc/ldap/ldap.conf -

TLS_CACERT /path/to/cert.pem

and now it works, thanks a lot for the module and help :)

Comment #3

johnbarclay commented 5 March 2012 at 13:53

Component:	Miscellaneous	» Documentation
Status:	Closed (works as designed)	» Needs work

Anything you can add to the docuementation will help others. This is definately the most painful part of ldap installs; connecting with the server over php. The documentation is wiki style so you can either edit it or add comments.