3:59 a.m.
Hi Team,
We are developing a LDAP client in our application. For this we are using
openLDAP software.
One of our requirement is to support either LDAP or LDAPS (LDAP/TLS) ,
based on the end-user input at runtime.
So, in our application we should have support for both LDAP & LDAPS APIs
and we would be calling LDAPS API (ldap_tls_start_s) based on this runtime
configuration or else normal LDAP API would be called.
ISSUE:
We are able to integrate openLDAP with our application and achieve LDAP or
LDAP/TLS requirement separately.
Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
compile time itself its decided whether LDAP or LDAPs . And we are not able
to take this decision at run-time.
If we compile openLDAP software with HAVE_TLS and use it for normal
ldapsearch, this ldap command is seen in trace as ldap message over SSL
without any encryption. But not as normal LDAP message.
So, we understand to achieve our requirement,
we would either be required to change the macro control of TLS to run-time
control in the openLDAP code. (But we are feeling not to do this for
maintainability purpose)
(or)
Try to use 2 openLDAP libraries, one compiled with HAVE_TLS and another
without HAVE_TLS. And take care in application side to call the respective
API without causing any resolution issue.
Can you please suggest whether there is any other approach currently
available in openLDAP to support both LDAP and LDAP/TLS at the sametime.
Regards,
G Gokul
9:15 p.m.
Hi Team,
Can you please look into this query.
Regards,
G Gokul
On Sun, Mar 25, 2018 at 4:29 PM, GOKUL G <g.gokul1991(a)gmail.com> wrote:
Hi Team,
We are developing a LDAP client in our application. For this we are using
openLDAP software.
One of our requirement is to support either LDAP or LDAPS (LDAP/TLS) ,
based on the end-user input at runtime.
So, in our application we should have support for both LDAP & LDAPS APIs
and we would be calling LDAPS API (ldap_tls_start_s) based on this runtime
configuration or else normal LDAP API would be called.
ISSUE:
We are able to integrate openLDAP with our application and achieve LDAP or
LDAP/TLS requirement separately.
Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
compile time itself its decided whether LDAP or LDAPs . And we are not able
to take this decision at run-time.
If we compile openLDAP software with HAVE_TLS and use it for normal
ldapsearch, this ldap command is seen in trace as ldap message over SSL
without any encryption. But not as normal LDAP message.
So, we understand to achieve our requirement,
we would either be required to change the macro control of TLS to run-time
control in the openLDAP code. (But we are feeling not to do this for
maintainability purpose)
(or)
Try to use 2 openLDAP libraries, one compiled with HAVE_TLS and another
without HAVE_TLS. And take care in application side to call the respective
API without causing any resolution issue.
Can you please suggest whether there is any other approach currently
available in openLDAP to support both LDAP and LDAP/TLS at the sametime.
Regards,
G Gokul
1:15 p.m.
--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G <g.gokul1991(a)gmail.com>
wrote:
ISSUE:
We are able to integrate openLDAP with our application and achieve LDAP
or LDAP/TLS requirement separately.
Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
compile time itself its decided whether LDAP or LDAPs . And we are not
able to take this decision at run-time.
If we compile openLDAP software with HAVE_TLS and use it for normal
ldapsearch, this ldap command is seen in trace as ldap message over SSL
without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two
different library builds. Clearly all of the existing C based clients can
do plaintext (ldap) with a library where TLS support is enabled (note: NOT
required).
I would also note there is much more to TLS encryption with LDAP than
you've noted.
There are two methods of doing TLS encryption. One uses the RFC STARTTLS
method, the other uses a TLS dedicated port (defaults to 443) using the
non-RFC ldaps URI.
So, an LDAP client can connect in the following methods:
a) plain text (ldap:/// or ldapi:///)
b) issuing a startTLS operation (ldap:/// or ldapi:///)
c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application,
to support all of the above with the OpenLDAP C API compiled with HAVE_TLS.
If you are unable to do this, you're misusing the API and/or do not
understand the API. Generally, your client simply needs to know:
Should the connection be encrypted?
No? ->
Use ldap:/// without the startTLS control
Yes? ->
Do they want to use ldaps or startTLS?
startTLS -> Use ldap with the startTLS control
use ldaps
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1:29 p.m.
On Wed, Mar 28, 2018 at 09:15:51PM BST, Quanah Gibson-Mount wrote:
--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G
<g.gokul1991(a)gmail.com>
wrote:
> ISSUE:
> We are able to integrate openLDAP with our application and achieve LDAP
> or LDAP/TLS requirement separately.
> Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
> compile time itself its decided whether LDAP or LDAPs . And we are not
> able to take this decision at run-time.
> If we compile openLDAP software with HAVE_TLS and use it for normal
> ldapsearch, this ldap command is seen in trace as ldap message over SSL
> without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two
different library builds. Clearly all of the existing C based clients can
do plaintext (ldap) with a library where TLS support is enabled (note: NOT
required).
I would also note there is much more to TLS encryption with LDAP than you've
noted.
There are two methods of doing TLS encryption. One uses the RFC STARTTLS
method, the other uses a TLS dedicated port (defaults to 443) using the
^^^
Hi Quanah,
You obviously meant 636, right[0]?
[0]
https://www.iana.org/assignments/service-names-port-numbers/service-names...
Regards,
Raf
non-RFC ldaps URI.
So, an LDAP client can connect in the following methods:
a) plain text (ldap:/// or ldapi:///)
b) issuing a startTLS operation (ldap:/// or ldapi:///)
c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application,
to support all of the above with the OpenLDAP C API compiled with HAVE_TLS.
If you are unable to do this, you're misusing the API and/or do not
understand the API. Generally, your client simply needs to know:
Should the connection be encrypted?
No? ->
Use ldap:/// without the startTLS control
Yes? ->
Do they want to use ldaps or startTLS?
startTLS -> Use ldap with the startTLS control
use ldaps
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1:35 p.m.
--On Wednesday, March 28, 2018 10:29 PM +0100 Raf Czlonka
<rczlonka(a)gmail.com> wrote:
^^^
Hi Quanah,
You obviously meant 636, right[0]?
Heh, yes, 636. ;)
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
2073
days inactive
2076
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
GOKUL G -
Quanah Gibson-Mount -
Raf Czlonka