Closed AndreeaChi closed 1 year ago
Note that from what I see in recent documentation, it's very possible setting the provider is totally useless now and that the default one would do just fine (meaning the fix would be to move the default from "com.sun.net.ssl.internal.ssl.Provider" to not setting it at all). That would make it something to do on generic LDAP authenticator side instead of the AD authenticator (but I guess there is some UI to remove to make things simpler in the AD application). To be tested.
Reported https://jira.xwiki.org/browse/LDAP-120.
will test "Add the possibility to not set the
xwiki.authentication.ldap.ssl.secure_provider (the default value is "com.sun.net.ssl.internal.ssl.Provider") as in recent documentation, it's very possible setting the provider is totally useless now and that the default one would do just fine."
https://jira.xwiki.org/browse/LDAP-120 has been included with the upgrade to LDAP 9.11.0 in https://github.com/xwikisas/application-activedirectory/commit/38c3894f19394919134c84efdbc04354e94df0a2, so there is no need to fill in the provider anymore
For the path to SSL trust store, the idea of the issue was to avoid situations when this is filled in incorrectly, but I think that trying to provide a value could be more confusing, or even redundant. According to https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager , JSSE already tries to find the certificate in one of the default locations (jssecacerts, then cacerts) in case another location was not specified, so there is no need to define other defaults. What I propose is to update the documention on store about this and point also to https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases#HUseLDAPoverSSL28ldapsauthentication29 , since additional configurations might be needed indeed.
Documentation updated at https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication#documentation
Is it possible when trying to use LDAPS with the Active Directory extension to identify the Path to SSL Keystore and the SSL Source Provider?
The benefit would be to avoid situations when the path or the source is completed incorrectly.