patch for ldap over SSL

[Philippe Marzouk]

Hi all,

I wanted to take advantage of an ldap server for user authentication
but as others already encountered there was no support for SSL and I
needed it.

I attach a patch which add support for SSL connections to the ldap
server. To activate the SSL layer, I added a new configuration parameter
in xwiki.cfg (xwiki.authentication.ldap.ssl) which has to be set to 1.
Of course the ldap port has to be changed too (to 636).

In order for the SSL connection to be established, the CA certificate
which delivered the SSL certificate of the ldap server must be added to
the trust store of the JSSE extension.

>From the Sun JSSE documentation:
The search order for the locating the trust store is:

    1) <java-home>/lib/security/jssecacerts, then
    2) <java-home>/lib/security/cacerts 

If the file jssecacerts exists, then cacerts is not consulted.


So in order to make it work you have to create a trust store named
jssecacerts with the following command and place it in the suitable
directory of the JRE or JDK used by your container:

keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts

(answer yes when asked if you want to trust the certificate)
I read on the web the default password for cacerts is 'changeit' so I
used that, I didn't try yet with another password for the trust store.

I believe if the SSL certificate of the ldap server is self signed you
need to import it instead of the CA but I did not try.

The patch makes use of com.sun.net.ssl.internal.ssl.Provider as the hard
coded security provided, it should maybe be put as a parameter for
people not running Sun JVMs.

I'm a newbie to xwiki so don't hesitate to critize the patch or give me
feedback.

Philippe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xwiki-ldap-ssl.patch
Type: text/x-diff
Size: 3047 bytes
Desc: not available
Url : http://lists.xwiki.org/pipermail/devs/attachments/20070201/49ec4239/attachment.bin