Bryan,

Please reply-to-all. :)

Moving on: I'm NOT a dev (I'm a sysadmin), but my take is:

1) Use OpenSSL libraries to see if the cert is 'trusted' by the local OS (signed by a trusted CA - whether by an internal CA or an external CA). If a non-linux based client, then you'll need to explore other options (Windows has it's own mechanism for example).
2) If not, and user responds with 'trust this cert' then you'll need to add the cert to the whatever your app uses (whether a cert file it manages, or the local OS - it's up to how you write it). My take: if it's not already trusted by the local cert library (managed per OS install) then use a single file managed by your app. Or, add it to the list of locally trusted CA's, but I don't think that's a great idea. Perhaps it's not trusted by design? Perhaps your app won't have permission? That can turn into a support nightmare...

As for OpenSUSE, perhaps it's ldap.conf doesn't specify to require a trusted cert... I don't know - never used it.

I do not believe there is an OpenLDAP library/API/etc to handle untrusted certs and make them trusted.

I recommend you play around with getting an OS to trust a CA you create to see how this works. Then see what it takes to get that OS to use the OpenLDAP server for auth. You'll learn quite a bit... Course, the source code may be more enlightening - but I'm not a dev. Bash or PERL is more my style :p.

Warning: there are two ldap.conf files in most linux distros:
/etc/ldap.conf : used by PAM
/etc/openldap/ldap.conf : used by OpenLDAP tools. Primarily on OpenLDAP servers (whether masters or slaves - now referred to as providers and consumers).

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: Bryan Boone <v_1bboon@yahoo.com>
To: Chris Jacobs
Sent: Mon Jul 12 20:23:18 2010
Subject: Re: Another question about LDAP over SSL

Hi Chris thanks for the reply.

Here is my problem.

I have two LDAP browsers that I am testing on a PC.  One is called JXplorer and the other is called LDAPEditor.  You probably heard of jxplorer but LDAPEditor is old and probably out of support.

Anyway JXplorer you have to manually transfer the SSL cert and load it into the program before you can connect to LDAP over SSL.

When I use LDAPEditor to connect to my openLDAP server via SSL.  The program prompts me to accept the server cert.  I do not have to manually upload the cert into the program.

So my question is...

How do I accomplish this in the client I am writting?  How can I use the openLDAP library to prompt a customer that asks them if they want to accept the server cert or not?

Does this make sense?

Also built into OpenSUSE is an LDAP browser.  It gives the option to connect to LDAP over SSL as well.  On this one you do not have to manually load the cert before hand.

thanks





From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
To: "v_1bboon@yahoo.com" <v_1bboon@yahoo.com>; "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Sent: Mon, July 12, 2010 7:26:54 PM
Subject: Re: Another question about LDAP over SSL

This really is a basic 'cert' issue.

There's a ton of non-openldap coverage of this topic (self-signed and CA purchased certs).

In a nutshell, you'll need to provide a way for your customer's to use a cert of their choosing, and let them sort out how to get their clients to trust the signer of that cert.

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Mon Jul 12 19:20:58 2010
Subject: Another question about LDAP over SSL

Hi everyone.  I have another "duh" question.
 
I am writing software for a proprietary piece of hardware.  I will be using the C libraries for openldap.  I need to write some functions for LDAP so that the UI of the software has the option to authenticate a user via LDAP and LDAP over SSL.  Basically it will just act like a client that will Simple Bind to the LDAP server for authentication.
 
 
I followed the instructions on the website to generate the SSL certs.
 
My question is, on the website above it says....
 
"You must also install a copy of the CA certificate on all of your client machines. Configuration is done in /usr/local/etc/openldap/ldap.conf:"
 
Does this mean I need to provide a way to the customer to manually transfer his/her CA cert the proprietary hardware, if they want to use LDAP over SSL???  Or when I use the Start TLS function, do the certs automatically get transfered behind the scene?
 
thanks



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.




This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.