[Setup] LDAP User Folder Certificate Configuration

[Pumukel]

Hello,

Plone is just straight forward in this area. It use the system settings for
LDAP on CA support. 

On normal Unix/Linux Systems you have a /etc/ldap directory where you could
place a CA.pem and register it in ldap.conf, the lines should be like: 
TLS_CACERT      /etc/ldap/CA.pem
or 
TLS_REQCERT     never

If you use buildout with openldap and python-ldap build in buildout than the
path to the configuration directory is
/path/to/buildout/parts/openldap/etc/openldap

I use a buildout part like this for it:


> [openldap]
> recipe = zc.recipe.cmmi
> url =
> ftp://gd.tuwien.ac.at/infosys/network/OpenLDAP/openldap-stable/openldap-stable-20071118.tgz
> extra_options = --with-sasl --with-tls --enable-slapd=no 
> 
> [python-ldap]
> recipe = zc.recipe.egg:custom
> egg = python-ldap
> include-dirs  = 
>     ${openldap:location}/include
> library-dirs  = 
>     ${openldap:location}/lib
> rpath = 
>     ${openldap:location}/lib
>     
>     
> [ldap-settings]
> recipe = plone.recipe.command
> command =
>     rm -f    ${openldap:location}/etc/openldap/ldap.conf
>     rm -f    ${openldap:location}/etc/openldap/CA.pem
>     wget -q  ${config:CA-url}    -O
> ${openldap:location}/etc/openldap/CA.pem
> update-command = ${ldap-settings:command} 
> 
> [ldap-conf-settings]
> recipe = collective.recipe.template
> input = ${buildout:directory}/templates/ldap.conf
> output = ${openldap:location}/etc/openldap/ldap.conf
> 
> 

Greetings Pumukel


Alberto Lopes wrote:
> 
> Dear friends,
> 
> I am trying to set up an LDAP configuration for Plone, using the PloneLDAP
> product.
> 
> I need to connect to an LDAP over SSL port, but to do that, I need Plone
> to validate the server certificate. 
> 
> I was not able to find out where to configure Plone to know which is the
> CA certificate to validate the server certificate; however, a guy in the
> python-ldap list gave me a hint to do a
> "ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')"
> command to set a "global" CA Cert file.
> 
> I put that as the last command in site-packages/ldap/__init__.py file
> (stripping the "ldap." prefixes), and Plone was able to connect to the
> LDAP server (I was able to search users, etc.)
> 
> My question is: is there a better or cleaner way or place to configure
> such a thing? Messing with the source code for a python library seem a
> little wrong to me...
> 
> Regards,
> 
> Alberto
> 

-- 
View this message in context: http://n2.nabble.com/LDAP-User-Folder-Certificate-Configuration-tp2123979p2126711.html
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.