Hi Team,
We are developing a LDAP client in our application. For this we are using openLDAP software. One of our requirement is to support either LDAP or LDAPS (LDAP/TLS) , based on the end-user input at runtime. So, in our application we should have support for both LDAP & LDAPS APIs and we would be calling LDAPS API (ldap_tls_start_s) based on this runtime configuration or else normal LDAP API would be called.
ISSUE: We are able to integrate openLDAP with our application and achieve LDAP or LDAP/TLS requirement separately. Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at compile time itself its decided whether LDAP or LDAPs . And we are not able to take this decision at run-time. If we compile openLDAP software with HAVE_TLS and use it for normal ldapsearch, this ldap command is seen in trace as ldap message over SSL without any encryption. But not as normal LDAP message.
So, we understand to achieve our requirement, we would either be required to change the macro control of TLS to run-time control in the openLDAP code. (But we are feeling not to do this for maintainability purpose) (or) Try to use 2 openLDAP libraries, one compiled with HAVE_TLS and another without HAVE_TLS. And take care in application side to call the respective API without causing any resolution issue.
Can you please suggest whether there is any other approach currently available in openLDAP to support both LDAP and LDAP/TLS at the sametime.
Regards, G Gokul
Hi Team,
Can you please look into this query.
Regards, G Gokul
On Sun, Mar 25, 2018 at 4:29 PM, GOKUL G g.gokul1991@gmail.com wrote:
Hi Team,
We are developing a LDAP client in our application. For this we are using openLDAP software. One of our requirement is to support either LDAP or LDAPS (LDAP/TLS) , based on the end-user input at runtime. So, in our application we should have support for both LDAP & LDAPS APIs and we would be calling LDAPS API (ldap_tls_start_s) based on this runtime configuration or else normal LDAP API would be called.
ISSUE: We are able to integrate openLDAP with our application and achieve LDAP or LDAP/TLS requirement separately. Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at compile time itself its decided whether LDAP or LDAPs . And we are not able to take this decision at run-time. If we compile openLDAP software with HAVE_TLS and use it for normal ldapsearch, this ldap command is seen in trace as ldap message over SSL without any encryption. But not as normal LDAP message.
So, we understand to achieve our requirement, we would either be required to change the macro control of TLS to run-time control in the openLDAP code. (But we are feeling not to do this for maintainability purpose) (or) Try to use 2 openLDAP libraries, one compiled with HAVE_TLS and another without HAVE_TLS. And take care in application side to call the respective API without causing any resolution issue.
Can you please suggest whether there is any other approach currently available in openLDAP to support both LDAP and LDAP/TLS at the sametime.
Regards, G Gokul
--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G g.gokul1991@gmail.com wrote:
ISSUE: We are able to integrate openLDAP with our application and achieve LDAP or LDAP/TLS requirement separately. Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at compile time itself its decided whether LDAP or LDAPs . And we are not able to take this decision at run-time. If we compile openLDAP software with HAVE_TLS and use it for normal ldapsearch, this ldap command is seen in trace as ldap message over SSL without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two different library builds. Clearly all of the existing C based clients can do plaintext (ldap) with a library where TLS support is enabled (note: NOT required).
I would also note there is much more to TLS encryption with LDAP than you've noted.
There are two methods of doing TLS encryption. One uses the RFC STARTTLS method, the other uses a TLS dedicated port (defaults to 443) using the non-RFC ldaps URI.
So, an LDAP client can connect in the following methods:
a) plain text (ldap:/// or ldapi:///) b) issuing a startTLS operation (ldap:/// or ldapi:///) c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application, to support all of the above with the OpenLDAP C API compiled with HAVE_TLS. If you are unable to do this, you're misusing the API and/or do not understand the API. Generally, your client simply needs to know:
Should the connection be encrypted? No? -> Use ldap:/// without the startTLS control Yes? -> Do they want to use ldaps or startTLS? startTLS -> Use ldap with the startTLS control use ldaps
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Wed, Mar 28, 2018 at 09:15:51PM BST, Quanah Gibson-Mount wrote:
--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G g.gokul1991@gmail.com wrote:
ISSUE: We are able to integrate openLDAP with our application and achieve LDAP or LDAP/TLS requirement separately. Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at compile time itself its decided whether LDAP or LDAPs . And we are not able to take this decision at run-time. If we compile openLDAP software with HAVE_TLS and use it for normal ldapsearch, this ldap command is seen in trace as ldap message over SSL without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two different library builds. Clearly all of the existing C based clients can do plaintext (ldap) with a library where TLS support is enabled (note: NOT required).
I would also note there is much more to TLS encryption with LDAP than you've noted.
There are two methods of doing TLS encryption. One uses the RFC STARTTLS method, the other uses a TLS dedicated port (defaults to 443) using the
^^^ Hi Quanah,
You obviously meant 636, right[0]?
[0] https://www.iana.org/assignments/service-names-port-numbers/service-names-po...
Regards,
Raf
non-RFC ldaps URI.
So, an LDAP client can connect in the following methods:
a) plain text (ldap:/// or ldapi:///) b) issuing a startTLS operation (ldap:/// or ldapi:///) c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application, to support all of the above with the OpenLDAP C API compiled with HAVE_TLS. If you are unable to do this, you're misusing the API and/or do not understand the API. Generally, your client simply needs to know:
Should the connection be encrypted? No? -> Use ldap:/// without the startTLS control Yes? -> Do they want to use ldaps or startTLS? startTLS -> Use ldap with the startTLS control use ldaps
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, March 28, 2018 10:29 PM +0100 Raf Czlonka rczlonka@gmail.com wrote: ^^^
Hi Quanah,
You obviously meant 636, right[0]?
Heh, yes, 636. ;)
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
GOKUL G -
Quanah Gibson-Mount -
Raf Czlonka