пт, 12 июн. 2020 г. в 17:14, James Stocks <jamesstocks@xxxxxxxxxxxxxxx>: > > We are attempting to use mod_ldap and mod_authnz_ldap to secure our apache2 web server. We are using the Debian 10 Apache2 package, version 2.4.38. Our authentication provider is G-Suite, the LDAP endpoint is ldap.google.com. > > Apache connects to ldap.google.com, however it does not appear to successfully negotiate a TLS connection. As a workaround, we have set up stunnel4 to handle the TLS session and configured Apache to use stunnel. Apache is able to successfully authenticate using plain LDAP through the TLS tunnel. We have also successfully connected to the LDAP endpoint using ldapsearch. > [...] > > Can anyone tell me whether SNI support is available in mod_ldap and if so how do I activate it? > Just sharing a few pointers that I found: 1. Documentation for mod_ldap says that "SSL/TLS support is dependent on which LDAP toolkit has been linked to APR. As of this writing, APR-util supports: ..." and lists 5 different implementations. http://httpd.apache.org/docs/2.4/mod/mod_ldap.html 2. Assuming that the implementation that you are dealing with is OpenLDAP, a quick search finds the following item in their Bugzilla (and on their mailing list): https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html https://bugs.openldap.org/show_bug.cgi?id=9176 "(ITS#9176) libldap support for TLSv1.3 Encrypted SNI" It was implemented a month ago, but apparently it is targeted for the text major version (2.5.0) and is not part of the current 2.4.50 release of OpenLDAP. https://git.openldap.org/openldap/openldap/-/commit/5c0efb9ce83db383631ce79e8f246d73c33b9ab3 https://git.openldap.org/openldap/openldap/-/commit/e96f90e21229f9d83129db0da017e0fe5a0a27c8 Thus I guess that the answer to your question is "not yet". Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|