...
ApacheDS 1.5.5 supports both options and rerquires requires a JDK 1.5 or above. The feature is disabled enabled by default, but you may need to configure it. There are some steps to follow in order to obtain a SSL enabled server.
| Note |
|---|
In order to keep it simple for beginners, you don't need any certificate to get LDAPS working. The latest version generates its own self signed certificate. From teh the user point of view, it's just a matter of enabling the ldaps service to get it working. However, if one wants to use a signed certificate, another configuration is needed, where you tell the server about the keystore to use, and the certificate password to use. |
...
There is nothing to do but enabling SSL and specifying the port to use in the server.xml configuration file :
| Code Block | ||||
|---|---|---|---|---|
| ||||
... </bean> <ldapService<ldapServer id="ldapsServiceldapServer" ...> enabled="true"<transports> ... <tcpTransport address="localhost" tcpPortport="10636" enableSSL="true"/> enableLdaps="true"</transports> nbTcpThreads="8">... <directoryService>#directoryService<</directoryService>ldapServer> </ldapService> ... |
That's it, the server is LDAPS capable !
In case you want to use an external keystore
| Note |
|---|
The default server.xml configuration file contains an typo, by default the port is set to 10686. |
In case you want to use an external keystore
A certificate is a A certificate is signed public key (signed normally by a third party, a certificate authority, CA).
...
Configuring ApacheDS to use this external keystore
| Note | ||
|---|---|---|
| ||
This section uses the new configuration style introduced with ApacheDS 1.5.1, for older versions refer to the ApacheDS 1.0 Documentation |
Enabling SSL in Apache Directory Server and using the key pair created as above is quite easy. Simply put the Enabling SSL in Apache Directory Server and using the key pair created as above is quite easy. Simply put the keystore file in the conf directory of ApacheDS, and enable ldaps. Here is the fragment from server.xml on how to do so.
| Code Block | ||||
|---|---|---|---|---|
| ||||
... </bean> <ldapService<ldapServer id="ldapsServiceldapServer" enabled="true"... tcpPort="10636keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks" enableLdapscertificatePassword="truesecret"> <transports> ... nbTcpThreads="8" <tcpTransport address="localhost" keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks"port="10636" enableSSL="true"/> </transports> certificatePassword="secret">... <directoryService>#directoryService<</directoryService>ldapServer> </ldapService> ... |
The following properties were used
The following properties were used
Property | default value | Description |
|---|---|---|
Property | default value | Description |
enabled | false | sets if this configuration is enabled or not |
ipPort | 636 | LDAPS TCP/IP port number to listen to |
enableLdaps | false | sets if ldaps is enabled or not |
keystoreFile | none | path of the X509 (or JKS) certificate file for LDAPS |
certificatePassword | changeit | password which is used to load the LDAPS certificate file |
port | 10636 | LDAPS TCP/IP port number to listen to |
enableSSL | true | sets if SSL is enabled or not |
After modification of the server.xml, the server has to be restarted in order to take effect.
...
Because our self-signed certificate is not trustworthy, many tools will present a warning (as Studio currently does notdoes in version 1.5.0). You will likely be able to view the certificate, and decide to continue (accepting the certificate always or this session only), like with web browsers.
...