Hi Team,
We are migrating our source code to use openldap client libraries instead of nsldap libraries. We have the below query for the openldap team. Please share your thoughts on this feature availability in the openldap library.
nsldap has the below feature while validating TLS Connections.
please refer to the nss tool, and refer to the section "Options and Arguments" https://www-archive.mozilla.org/projects/security/pki/nss/tools/certutil
-t trustargs
Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.
There are three available trust categories for each certificate, expressed in this order: "SSL, email, object signing". In each category position use zero or more of the following attribute codes:
p Valid peer P Trusted peer (implies p) c Valid CA T Trusted CA to issue client certificates (implies c) C Trusted CA to issue server certificates (SSL only) (implies c) u Certificate can be used for authentication or signing w Send warning (use with other attributes to include a warning when the certificate is used in that context)
The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
-t "TCu,Cu,Tuw"
Use the -L option to see a list of the current certificates and trust attributes in a certificate database.
our query: Does openldap provide trustargs support to verify TLS connection? Please share details on this.
Thanks In advance.
venugopal chinnakotla wrote:
Hi Team,
We are migrating our source code to use openldap client libraries instead of nsldap libraries. We have the below query for the openldap team. Please share your thoughts on this feature availability in the openldap library.
nsldap has the below feature while validating TLS Connections.
These features are part of the Mozilla NSS library, not a part of any LDAP library.
You can use Mozilla NSS in OpenLDAP 2.4 but support for MozNSS has been dropped from newer releases.
please refer to the nss tool, and refer to the section "Options and Arguments" https://www-archive.mozilla.org/projects/security/pki/nss/tools/certutil
Thank you for update.
Have few queries on this. Could you please clarify them?
1) Is there any reason for dropping Mozilla NSS support with latest versions of OpenLDAP?
2) Can we compile OpenLDAP 2.6.8 by taking 'tls_m.c' module from OpenLDAP 2.4.59 (where OpenLDAP support NSS) and use NSS certdb for TLS communication? Is it possible to use seamlessly?
--On Tuesday, August 20, 2024 10:06 AM +0000 c.venugopal521@gmail.com wrote:
Thank you for update.
Have few queries on this. Could you please clarify them?
- Is there any reason for dropping Mozilla NSS support with latest
versions of OpenLDAP?
RedHat had a project at one point where they were going to try and unify everything on MozNSS. MozNSS was already abandonware for good reason, but RH persisted with this effort despite being warned it was not a great idea. Eventually it fell apart as expected and they dropped this effort. The code was only added to OpenLDAP to support RH's effort. After RH realized the futility of the idea and abandoned it, the code was removed from OpenLDAP.
- Can we compile OpenLDAP 2.6.8 by taking 'tls_m.c' module from OpenLDAP
2.4.59 (where OpenLDAP support NSS) and use NSS certdb for TLS communication? Is it possible to use seamlessly?
No.
--Quanah
openldap-technical@openldap.org
-
c.venugopal521@gmail.com -
Howard Chu -
Quanah Gibson-Mount -
venugopal chinnakotla