Hi,
To work with secure LDAP following stuff is required:
1. Server must be running with certificates installed on server. Check TLS options in slapd.conf 2. The CA certificate must be present on Client side, which can verify the sever certificate during SSL handshake. 3. If server has intermediate certificate then client must have all the intermediate CA certificate to verify the server certificate.
Now point 1, How to install server on secure port ie 636: Example is OpenLDAP server slapd.conf must have following TLS directives:
TLSCertificateFile /root/Digambar/intermediate_try/userCert.pem TLSCertificateKeyFile /root/Digambar/intermediate_try/new.cert.key TLSCACertificateFile /root/Digambar/intermediate_try/cacert.pem
Use following to create CA and server cetrificates:
A. /usr/share/ssl/misc/CA -newca
To creat server cert request B openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
To sign the server cert C. /usr/share/ssl/misc/CA -sign
Start the server as : /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
This will start secure LDAP.
Now to verify that the above stuff is working: try following from some another host:
i. copy the ca-certificate file to the host.
ii. Edit the /etc/ldap.conf with TLS_CACERT with the ca-cert path.
iii. Try with ldapsearch -x -H ldaps://server-FQDN-hostname:636 -b "dc=my-domain,dc=com" "(&(uid=testadmin1)(objectClass=inetOrgPerson))"
If this goes throu then it will indicate that the server is installed properly.
++++++++++++++++++++++++++++++++++++++
Now Try to do ldapsearch using C program:
LDAP *pLdapObj = NULL;
ldap_initialize(&pLdapObj, ldaps://server-FQDN-hostname:636);
ldap_set_option( pLdapObj, LDAP_OPT_PROTOCOL_VERSION, &ldapversion); ldap_set_option( pLdapObj, LDAP_OPT_NETWORK_TIMEOUT, (void *)&stTimeoutVal); ldap_set_option( pLdapObj, LDAP_OPT_TIMELIMIT, (void *)&stTimeLimit); ldap_set_option( pLdapObj, LDAP_OPT_SIZELIMIT, (void *)&(LdapSizeLimit));
ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, aucServerCertFileName);// specify the CA certificate file path which was copied on the client side.
// After this try whatever operation you want to try like ldap_searcg or ldap_bind etc
Let me know if you want help somewhere.
Thanks,
Digambar Sawant
On 4/2/08, Arkady Shoyhet Arkady.Shoyhet@aladdin.com wrote:
Hi,
I have to implement SSL LDAP communication using standard LDAP C API.
I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G.
Can you reference me to some code examples ?
Thanks in advance,
Arkady Shoyhet
The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** eSafe scanned this email for viruses, vandals and malicious content **
openldap-software@openldap.org