[xwiki-users] XWiki and LDAP TLS binding - xwiki-users@xwiki.org - lists.xwiki.org

List overview All Threads
Download

[xwiki-users] XWiki and LDAP TLS binding

[xwiki-users] Fwd: Pdf and...

[xwiki-users] Redirect from user...

Claude Lepere

21 Feb 2014 21 Feb '14

12:53 p.m.

Hi! Does XWiki support LDAP TLS binding (that means a ldap connection on port 389 and not a SSL ldaps connection on port 686) with both server and client (= XWiki) certificates? If so, how to set up that feature? Many thanks for your response. Claude Lepère

Reply

Show replies by date

Pascal BASTIEN

21 Feb 21 Feb

2:48 p.m.

New subject: [xwiki-users] missing logo and png

Hello, I'm in trouble! On my tomcat server, I renamed my xwiki and reinstall the UI extension but all my png disappeared... Like this screeshot: http://picpaste.com/logodissapaer-K7ZxXib0.jpg Any ideas? NB: I refresh my cach Thxs Pascal B

Reply

Thomas Mortagne

4:26 p.m.

As far as I understand TLS and SSL are the same thing (at least in LDAP). You can setup which port to connect to using xwiki.authentication.ldap.port property in xwiki.cfg. On Fri, Feb 21, 2014 at 12:53 PM, Claude Lepere <claudelepere(a)gmail.com> wrote:

Hi! Does XWiki support LDAP TLS binding (that means a ldap connection on port 389 and not a SSL ldaps connection on port 686) with both server and client (= XWiki) certificates? If so, how to set up that feature? Many thanks for your response. Claude Lepère _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users

-- Thomas Mortagne

Reply

claude lepere

22 Feb 22 Feb

12:26 a.m.

Hi Thomas. Thank you for your quick answer. I'm sure not a LDAP expert but I think it is right to say that LDAP TLS (using StartTLS) and LDAP SSL offer quite the same security features, but StartTLS is the successor of LDAP over SSL (LDAPS) and is now recommended. My question concerns the client certificate: with a server demanding a client certificate, when I use a simple client such as ldapsearch with StartTLS, a file ldaprc or .ldaprc containing the directives TLS_CACERTDIR, TLS_CERT and TLS_KEY that give the path to the certs and the key is required, but when the client is XWiki I did not find how to give XWiki this info or where to place such a file. Can you help me? Thanks in advance. Claude Lepère -- View this message in context: http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589… Sent from the XWiki- Users mailing list archive at Nabble.com.

Reply

Pascal BASTIEN

1 Mar 1 Mar

12:14 p.m.

Hello, I used this method to authenticate on my LDAP TLS:SSL: http://jira.xwiki.org/browse/XWIKI-865 Pascal B ________________________________ De : Claude Lepere <claudelepere(a)gmail.com> À : users(a)xwiki.org Envoyé le : Vendredi 21 février 2014 12h53 Objet : [xwiki-users] XWiki and LDAP TLS binding Hi! Does XWiki support LDAP TLS binding (that means a ldap connection on port 389 and not a SSL ldaps connection on port 686) with both server and client (= XWiki) certificates? If so, how to set up that feature? Many thanks for your response. Claude Lepère _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users

Reply

claude lepere

4 Mar 4 Mar

12:22 a.m.

Hi all! Our LDAP server also requires the client his certificate (olcTLSVerifyClient = demand). As we are in Java on client side, we have to use a Java keystore (jks) containing the cert and the corresponding private key of the client (=XWiki). The way we found to give this info is in the Tomcat conf file /etc/default/tomcat7 adding -Djavax.net.ssl.keyStore=/path-to-jks -Djavax.net.ssl.keyStorePassword=changeit to JAVA_OPTS. Do you know other ways? Thank you for your answer. Claude Lepère On Sat, Mar 1, 2014 at 12:15 PM, PascalB [via XWiki] < ml-node+s475771n7589382h47(a)n2.nabble.com> wrote:

Hello, I used this method to authenticate on my LDAP TLS:SSL: http://jira.xwiki.org/browse/XWIKI-865 Pascal B ________________________________ De : Claude Lepere <[hidden email]<http://user/SendEmail.jtp?type=node&node=7589382&i=0>> À : [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=1> Envoyé le : Vendredi 21 février 2014 12h53 Objet : [xwiki-users] XWiki and LDAP TLS binding Hi! Does XWiki support LDAP TLS binding (that means a ldap connection on port 389 and not a SSL ldaps connection on port 686) with both server and client (= XWiki) certificates? If so, how to set up that feature? Many thanks for your response. Claude Lepère _______________________________________________ users mailing list [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=2> http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=3> http://lists.xwiki.org/mailman/listinfo/users ------------------------------ If you reply to this email, your message will be added to the discussion below: http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589… To unsubscribe from XWiki and LDAP TLS binding, click here<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=un… . NAML<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=ma…

-- View this message in context: http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589… Sent from the XWiki- Users mailing list archive at Nabble.com.

Reply

Pascal BASTIEN

1:51 p.m.

Hello, I didn't modify my catalina.sh because I indicate my keystore file in my ./webapps/xwiki_5.4.1/WEB-INF/xwiki.cfg file #-# The keystore file to use in SSL connection xwiki.authentication.ldap.ssl.keystore=/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/jssecacerts Pascal B ________________________________ De : claude lepere <claudelepere(a)gmail.com> À : users(a)xwiki.org Envoyé le : Objet : Re: [xwiki-users] XWiki and LDAP TLS binding Hi all! Our LDAP server also requires the client his certificate (olcTLSVerifyClient = demand). As we are in Java on client side, we have to use a Java keystore (jks) containing the cert and the corresponding private key of the client (=XWiki). The way we found to give this info is in the Tomcat conf file /etc/default/tomcat7 adding -Djavax.net.ssl.keyStore=/path-to-jks -Djavax.net.ssl.keyStorePassword=changeit to JAVA_OPTS. Do you know other ways? Thank you for your answer. Claude Lepère On Sat, Mar 1, 2014 at 12:15 PM, PascalB [via XWiki] < ml-node+s475771n7589382h47(a)n2.nabble.com> wrote:

Hello, I used this method to authenticate on my LDAP TLS:SSL: http://jira.xwiki.org/browse/XWIKI-865 Pascal B ________________________________ De : Claude Lepere <[hidden email]<http://user/SendEmail.jtp?type=node&node=7589382&i=0>> À : [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=1> Envoyé le : Vendredi 21 février 2014 12h53 Objet : [xwiki-users] XWiki and LDAP TLS binding Hi! Does XWiki support LDAP TLS binding (that means a ldap connection on port 389 and not a SSL ldaps connection on port 686) with both server and client (= XWiki) certificates? If so, how to set up that feature? Many thanks for your response. Claude Lepère _______________________________________________ users mailing list [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=2> http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=3> http://lists.xwiki.org/mailman/listinfo/users ------------------------------ If you reply to this email, your message will be added to the discussion below: http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589… To unsubscribe from XWiki and LDAP TLS binding, click here<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=un… . NAML<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=ma…

-- View this message in context: http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589… Sent from the XWiki- Users mailing list archive at Nabble.com. _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users

Reply

Claude Lepere

6 Mar 6 Mar

2:53 p.m.

Hello! I didn't find how to give directly to XWiki the keystore password in xwiki.cfg or somewhere else. I used the Tomcat Java options: -Djavax.net.ssl.keyStore=/path-to-jks -Djavax.net.ssl.keyStorePassword=<secret>. Without this workaround, XWiki did not send the client certificate required by the LDAP server. See http://jira.xwiki.org/browse/XWIKI-5674 and http://jira.xwiki.org/browse/XWIKI-9319. Thank you for the discussion. Claude Lepère On Tue, Mar 4, 2014 at 1:51 PM, Pascal BASTIEN <pbasnews-xwiki(a)yahoo.fr>wrote;wrote:

Hello, I didn't modify my catalina.sh because I indicate my keystore file in my ./webapps/xwiki_5.4.1/WEB-INF/xwiki.cfg file #-# The keystore file to use in SSL connection xwiki.authentication.ldap.ssl.keystore=/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/jssecacerts Pascal B ________________________________ De : claude lepere <claudelepere(a)gmail.com> À : users(a)xwiki.org Envoyé le : Objet : Re: [xwiki-users] XWiki and LDAP TLS binding Hi all! Our LDAP server also requires the client his certificate (olcTLSVerifyClient = demand). As we are in Java on client side, we have to use a Java keystore (jks) containing the cert and the corresponding private key of the client (=XWiki). The way we found to give this info is in the Tomcat conf file /etc/default/tomcat7 adding -Djavax.net.ssl.keyStore=/path-to-jks -Djavax.net.ssl.keyStorePassword=changeit to JAVA_OPTS. Do you know other ways? Thank you for your answer. Claude Lepère On Sat, Mar 1, 2014 at 12:15 PM, PascalB [via XWiki] < ml-node+s475771n7589382h47(a)n2.nabble.com> wrote:

Hello, I used this method to authenticate on my LDAP TLS:SSL: http://jira.xwiki.org/browse/XWIKI-865 Pascal B ________________________________ De : Claude Lepere <[hidden email]<

http://user/SendEmail.jtp?type=node&node=7589382&i=0>>

À : [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=1 Envoyé le : Vendredi 21 février 2014 12h53 Objet : [xwiki-users] XWiki and LDAP TLS binding Hi! Does XWiki support LDAP TLS binding (that means a ldap connection on port 389 and not a SSL ldaps connection on port 686) with both server and client (= XWiki) certificates? If so, how to set up that feature? Many thanks for your response. Claude Lepère _______________________________________________ users mailing list [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=2> http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list [hidden email] <http://user/SendEmail.jtp?type=node&node=7589382&i=3> http://lists.xwiki.org/mailman/listinfo/users ------------------------------ If you reply to this email, your message will be added to the discussion below:

http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589…

To unsubscribe from XWiki and LDAP TLS binding, click here<

http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscrib…

. NAML<

http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=macro_view…

-- View this message in context: http://xwiki.475771.n2.nabble.com/XWiki-and-LDAP-TLS-binding-tp7589243p7589… Sent from the XWiki- Users mailing list archive at Nabble.com. _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users

Reply

3847

days inactive

3860

days old

xwiki-users@xwiki.org

Manage subscription

7 comments

4 participants

tags (0)

participants (4)

Claude Lepere
claude lepere
Pascal BASTIEN
Thomas Mortagne