So I will try once more.
I have successfully setup an openldap server using TLS.
I generated self sign certs using http://www.openldap.org/faq/data/cache/185.html
I have succussfully setup a client computer on a different computer than the server.
I copied the cacert.pem to my client computer
I can successfully run ldapsearch with the -ZZ option on the client PC.
Now I want to write a client program in C that I can put on any PC, that will automatically download cacert.pem from the openldap server, and prompt a user to accept or reject the cacert.pem. If they accept it, I want to store the cert in the /etc/ssl/certs directory. If they do not accept the cert, I want to stop the connection. How do I accomplish this? I don't see any openldap functions that help me do this.
Bryan Boone v_1bboon@yahoo.com writes:
So I will try once more.
I have successfully setup an openldap server using TLS.
I generated self sign certs using http://www.openldap.org/faq/data/cache/ 185.html
I have succussfully setup a client computer on a different computer than the server.
I copied the cacert.pem to my client computer
I can successfully run ldapsearch with the -ZZ option on the client PC.
Now I want to write a client program in C that I can put on any PC, that will automatically download cacert.pem from the openldap server, and prompt a user to accept or reject the cacert.pem. If they accept it, I want to store the cert in the /etc/ssl/certs directory. If they do not accept the cert, I want to stop the connection. How do I accomplish this? I don't see any openldap functions that help me do this.
This task is not ldap related. You may either use scp or rsync, If you want to create your own C program, have a look at libcurl(3).
-Dieter
Dieter's correct (no surprise).
Your question only tangentially touches openldap - and only for getting the cert the openldap server happens to been configured to use onto clients
What you appear to be looking for might be available from openssl.
Frankly, this could written in bash using the openssl command. No C necessary.
You /really/ should learn up ssl - openssl specifically.
Also: IIRC, you originally wanted the cert to simply be trusted OS wide. For that, you need to distribute the cert's /signing CA cert/ to each OS - and they're all going to do it differently (I'm astonished this is still the case) - likely even between versions.
Good luck, - chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Thu Jul 29 23:38:24 2010 Subject: Re: Hmm. No one seems to be able to answer my question about SSL connections
Bryan Boone v_1bboon@yahoo.com writes:
So I will try once more.
I have successfully setup an openldap server using TLS.
I generated self sign certs using http://www.openldap.org/faq/data/cache/ 185.html
I have succussfully setup a client computer on a different computer than the server.
I copied the cacert.pem to my client computer
I can successfully run ldapsearch with the -ZZ option on the client PC.
Now I want to write a client program in C that I can put on any PC, that will automatically download cacert.pem from the openldap server, and prompt a user to accept or reject the cacert.pem. If they accept it, I want to store the cert in the /etc/ssl/certs directory. If they do not accept the cert, I want to stop the connection. How do I accomplish this? I don't see any openldap functions that help me do this.
This task is not ldap related. You may either use scp or rsync, If you want to create your own C program, have a look at libcurl(3).
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org
-
Bryan Boone -
Chris Jacobs -
Dieter Kluenter