[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about LDAP and SSL.



On Wednesday, 7 July 2010 23:26:50 Chris Jacobs wrote:
> Bryan,
> 
> The method of completing "Does openldap provide a mechanism that will
>  accomplish the same thing (automatic client cert acceptance)?" is to have
>  a real cert authority issue the cert.

That is not the only method, and there may be circumstances where a commercial 
CA is not suitable.

>  They're pretty nice about it even,
>  at least if you give them money.
> 
> I /highly/ recommend you read up on SSL certs, differences between
>  self-signed and purchased, etc.

All root CA certs are self-signed, the OP wasn't (necessarily) proposing self-
signed certs. However, since he is not necessarily in control of the LDAP 
server configuration, his solution should cater to situations that may require 
the user of his solution to update the CA cert (e.g., commercial CA certificate 
rollover).

> Here's a hint: Self-Signed aren't trusted anywhere.  Most equipment,
>  browsers, etc, come with a list of trusted providers.

And, most good devices, browsers etc. allow you to update/add CA certificates.

Regards,
Buchan