[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPS from gamma clients to iPlanet server

Title: LDAPS from gamma clients to iPlanet server

It would be a nice feature if ldapsearch (and friends) supported LDAPS via command line option to specify URIs.  I also had trouble connecting to iPlanet, since it didn't support the StartTLS extended operation.

I was able to make LDAPS work with gamma to an iPlanet server with the following modifications (i.e., hacks):
1) Set tls_opt_cacertfile (global defined in libldap:tls.c line 40) to my CA's certificate (which happens to be my own private CA).

2) Force LDAPS scheme at the beginning of ldap_start_tls_s() (in libldap:open.c line 254) as follows:
        ld->ld_options.ldo_defludp->lud_scheme = LDAP_STRDUP( "ldaps" );
3) Fix an appearent bug (have already reported to its):
   At line 262 in libldap:open.c change
        if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
        if (ldap_pvt_tls_inplace(lc->lconn_sb) == 0)
4) Disable the remainder of the for loop at lines 265-277 in libldap:open.c.  These issue the StartTLS extended operation which iPlanet doesn't support.

Here is my client setup:
- Solaris 2.7
- Openldap 2.0 gamma
- OpenSSL 0.9.5
- Cyrus SASL 1.5.24
- Sun Workshop compilers 4.2.1
- Search command: ldapsearch -x -h iplanethost -p 636 -s base -b "" -ZZ
- NOTE: if you omit "-p 636" you can crash the iPlanet server!!! ;-)

Here is my server setup:
- Win2000 Advanced Server
- iPlanet 4.1 Directory Server
- Windows Certificate Services

Art Corcoran
Vitria Technology, Inc.

"Understanding is a three-edged sword."