[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: C coding secured LDAP



Arkady Shoyhet writes:
> I have to implement SSL LDAP communication using standard LDAP C API.
> I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G.
> Can you reference me to some code examples ?

openldap-2.3.41/clients/tools/*.c spring to mind...

It's basically this code in common.c (which is linked together with each
of the ldap*.c files):

        rc = ldap_initialize( &ld, ldapuri );
        if( rc != LDAP_SUCCESS ) {
            fprintf( stderr,
                "Could not create LDAP session handle for URI=%s (%d): %s\n",
                ldapuri, rc, ldap_err2string(rc) );
            exit( EXIT_FAILURE );
        }
and
        protocol = LDAP_VERSION3;
        ...
        if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
            != LDAP_OPT_SUCCESS )
        {
            fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
                protocol );
            exit( EXIT_FAILURE );
        }

        if ( use_tls ) {
            rc = ldap_start_tls_s( ld, NULL, NULL );
            if ( rc != LDAP_SUCCESS ) {
                tool_perror( "ldap_start_tls", rc, NULL, NULL, NULL, NULL );
                if ( use_tls > 1 ) {
                    exit( EXIT_FAILURE );
                }
            }
        }

Set use_tls > 1, since it's a bad idea to continue after StartTLS fails.
ldapuri is something like "ldap://hostname/"; where the hostname is the
server's fully qualified hostname (same name as occurs in CN or Subject
Alt Name in the server certificate).

You need to tell the client the server's CA certifiate, see TLS_CACERT
in man ldap.conf.  Also man ldap_start_tls_s.

Or if you use an "ldaps:" instead of "ldap:" URL, and the server
listens to "ldaps:" (probably in addition to "ldap:"), then the
connection starts out in TLS (alias SSL) mode and you should not call
ldap_start_tls_s().

-- 
Hallvard