Re: Only Openldap 2.1.x support TLS ?

["Marius Cabas" <marius_cabas@hotmail.com>]

OpenLDAP via TLS/SSL:
=====================

1. download openldap v2.0.27
2. compile openldap using the following commands:
    > ./configure --enable-ldbm --disable-bdb --with-tls
    > make depend
    > make
    > make install
3. generate the certificate file using OpenSSL:
    > openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days
365
4. edit the slapd.conf file to support TLS/SSL like below:
    add at the end of the file:
        TLSCertificateFile    /usr/local/etc/ldap/server.pem
        TLSCertificateKeyFile /usr/local/etc/ldap/server.pem
        TLSCACertificateFile  /usr/local/etc/ldap/server.pem
5. start the OpenLDAP listener like below:
    > ./slapd -h "ldap:/// ldaps:///"

Now, you have an OpenLDAP server that supports TLS/SSL.
You can use the Novel LDAP SDK (for example) to connect to the OpenLDAP
server using TLS/SSL. A small piece of code you will find below:

int SSLBind()
{
 int ret = -1;

 // using LDAP version 3
 int version = LDAP_VERSION3;
 ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &version);

 // initializes the SSL library
 if((ret = ldapssl_client_init(NULL, NULL)) != LDAP_SUCCESS)
  return ret;

 // adds certificates to the list of trusted certificates
 if((ret = ldapssl_add_trusted_cert("server.pem",
LDAPSSL_CERT_FILETYPE_B64)) != LDAP_SUCCESS)
  return ret;

 // creates an LDAP session handle that is SSL enabled
 LDAP *ldap = ldapssl_init("localhost", 636, 1);
 if(ldap == NULL)
  return -1;

 // bind with current credentials
 if((ret = ldap_simple_bind_s(ldap, "cn=manager,o=vt", "start")) !=
LDAP_SUCCESS)
 {
  ldapssl_client_deinit();
  return ret;
 }

 ldap_unbind_s(ldap);
 ldapssl_client_deinit();
 return ret;
}

regards,

Marius