Re: More SASL/SSL questions.

[Howard Chu <hyc@symas.com>]

Ben Bargabus wrote:

> Hello,
> I'm still a bit confused about SASL and SSL from a client programming
> perspective (and the almost complete lack of documentation doesn't help
> much).

> 1. Does a SASL bind produce an encrypted session for any communication
> that follows the authentication or does it just encrypt the bindDN and
> credentials?

In general, what SASL does is left to the SASL documentation. To answer 
your question, if a particular SASL mechanism supports session 
encryption then OpenLDAP will use that feature by default. You can set 
the SASL security properties to disable these mechanisms if you want.

> 2. Is there ANY documentation for ldap_sasl_bind_s() that describes its
> arguments and return value?

The arguments and return values are spelled out in the source code. In 
general, this function is not what you want though, you should be using 
ldap_sasl_interactive_bind_s() instead because it handles all the 
interactions with the SASL library and it's a pain to manage that yourself.

> 3. Is there ANY documentation for ldap_initialize()?  Particularly I'm
> wondering how to use it to create an SSL session (is it as simple as
> ldap_initialize(&ld, "ldaps://myserver.com:636")).  Is there a better
> way to create an SSL session?

Yes, it's as simple as that.

> 4. If the answer to 2 and/or 3 is no can someone please explain them?

When you're writing your own LDAP client for the first time, it's often 
easiest to use existing code as an example. In this case, you should be 
looking at the code in clients/tools as a canonical example of how to do 
just about everything.

--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support