[Setup] LDAP User Folder Certificate Configuration
Pumukel
Alexander.Loechel at unibw.de
Thu Jan 8 07:12:56 UTC 2009
Hello,
Plone is just straight forward in this area. It use the system settings for
LDAP on CA support.
On normal Unix/Linux Systems you have a /etc/ldap directory where you could
place a CA.pem and register it in ldap.conf, the lines should be like:
TLS_CACERT /etc/ldap/CA.pem
or
TLS_REQCERT never
If you use buildout with openldap and python-ldap build in buildout than the
path to the configuration directory is
/path/to/buildout/parts/openldap/etc/openldap
I use a buildout part like this for it:
> [openldap]
> recipe = zc.recipe.cmmi
> url =
> ftp://gd.tuwien.ac.at/infosys/network/OpenLDAP/openldap-stable/openldap-stable-20071118.tgz
> extra_options = --with-sasl --with-tls --enable-slapd=no
>
> [python-ldap]
> recipe = zc.recipe.egg:custom
> egg = python-ldap
> include-dirs =
> ${openldap:location}/include
> library-dirs =
> ${openldap:location}/lib
> rpath =
> ${openldap:location}/lib
>
>
> [ldap-settings]
> recipe = plone.recipe.command
> command =
> rm -f ${openldap:location}/etc/openldap/ldap.conf
> rm -f ${openldap:location}/etc/openldap/CA.pem
> wget -q ${config:CA-url} -O
> ${openldap:location}/etc/openldap/CA.pem
> update-command = ${ldap-settings:command}
>
> [ldap-conf-settings]
> recipe = collective.recipe.template
> input = ${buildout:directory}/templates/ldap.conf
> output = ${openldap:location}/etc/openldap/ldap.conf
>
>
Greetings Pumukel
Alberto Lopes wrote:
>
> Dear friends,
>
> I am trying to set up an LDAP configuration for Plone, using the PloneLDAP
> product.
>
> I need to connect to an LDAP over SSL port, but to do that, I need Plone
> to validate the server certificate.
>
> I was not able to find out where to configure Plone to know which is the
> CA certificate to validate the server certificate; however, a guy in the
> python-ldap list gave me a hint to do a
> "ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')"
> command to set a "global" CA Cert file.
>
> I put that as the last command in site-packages/ldap/__init__.py file
> (stripping the "ldap." prefixes), and Plone was able to connect to the
> LDAP server (I was able to search users, etc.)
>
> My question is: is there a better or cleaner way or place to configure
> such a thing? Messing with the source code for a python library seem a
> little wrong to me...
>
> Regards,
>
> Alberto
>
--
View this message in context: http://n2.nabble.com/LDAP-User-Folder-Certificate-Configuration-tp2123979p2126711.html
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.
More information about the Setup
mailing list