[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: writing a ssl(tls) client



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> vranckx@sia.ucl.ac.be

> Hi,
>
> I must write a client to an openldap server and must use
> encryption.
> I downloaded iplanet and netscape C sdk : both do no
> support TLS and the doc mentions I need to have access
> to a Netscape or iPlanet certificate database...
> My objective is just to encrypt the session not to let
> cleartext passwd on the network : in fact, just the way
> ldapsearch -H ldaps://... does.
>
> Is there an alternative to these SDK ? Where can I find
> information about writing this kind of client for
> openldap ?

The OpenLDAP API can handle this easily enough but you still need to
have access to a certificate database. If you're using the OpenLDAP
libraries combined with OpenSSL, then the right place to get help about
managing certificates is from the OpenSSL documentation. Note that the
OpenSSL source distribution usually includes a number of CA certificates
so there shouldn't be much work involved in getting this going.

I think it's simplest to concatenate all the CA certificates (in PEM format)
into a single file. Then your /etc/ldap.conf file should have a line
pointing
to this file:
	TLS_CACERT	/etc/ssl/cacerts.pem

As far as the actual API, you can just use the ldap_initialize() call, the
same
way that the ldapsearch command does. Make sure that the URI you provide
starts
with the "ldaps:" scheme and you will get an SSL session.

> Thanks in advance for your help.
>
> Patrick Vranckx
> Universite Catholique de Louvain
> Belgium
> vranckx@sia.ucl.ac.be
>

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc