shibboleth-dev - Re: beta idp: ldap with client cert
Subject: Shibboleth Developers
List archive
- From: Daniel Fisher <>
- To:
- Subject: Re: beta idp: ldap with client cert
- Date: Mon, 24 Sep 2007 18:38:18 -0400
- Organization: Virginia Tech
Ah...you're working on TLS + client auth.
I looked over the data connector xsd and the authenticationType property needs to be wired for the LdapDataConnector class.
So when that's fixed you'll be able to add 'authenticationType=EXTERNAL' to the data connector config.
The credentials are another matter.
I'm assuming you'd prefer for the config to accept two file paths, one for the cert and one for the key.
Where each file would be a PEM or DER encoded object.
I'll let Chad comment on whether he wants to support this type of setup.
--
Daniel Fisher
Jim Fox wrote:
It appears that client cert authentication to an ldap service
can be made to work for 2.0 with some property definitions in the
ldap resolver section, e.g.,
<LDAPProperty name="javax.net.ssl.trustStore"
value="path_to_keystore" />
<LDAPProperty name="javax.net.ssl.trustStorePassword"
value="store_pw" />
<LDAPProperty name="javax.net.ssl.keyStore"
value="path_to_truststore" />
<LDAPProperty name="javax.net.ssl.keyStorePassword"
value="store_pw" />
<LDAPProperty name="java.naming.security.authentication"
value="EXTERNAL" />
I know these keystores are the java way, but they aren't
the shib way. I much preferred using Credential elements.
Jim
p.s. If I can use a <Credential ../> and normal cert and key
files for this someone please explain how.
- beta idp: ldap with client cert, Jim Fox, 09/24/2007
- Re: beta idp: ldap with client cert, Daniel Fisher, 09/24/2007
Archive powered by MHonArc 2.6.16.