[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPS from gamma clients to iPlanet server

At 11:24 AM 8/25/00 -0700, Art Corcoran wrote:
>It would be a nice feature if ldapsearch (and friends) supported LDAPS via command line option to specify URIs.  I also had trouble connecting to iPlanet, since it didn't support the StartTLS extended operation.

So don't use -ZZ, use ldaps://.  Don't confuse them.
The "bug" is that 2.0-gamma tools don't support ldaps://.
I've fixed that in devel (by introducing URI support).

>I was able to make LDAPS work with gamma to an iPlanet server with the following modifications (i.e., hacks): 
>1) Set tls_opt_cacertfile (global defined in libldap:tls.c line 40) to my CA's certificate (which happens to be my own private CA).

That, I believe, should be done in the application using ldap_set_option() calls
or via ldap.conf(5).

The remainder suggests how to change ldap_start_tls_s() so that it doesn't
perform its intended function, the RFC2830 Start TLS operation.

>2) Force LDAPS scheme at the beginning of ldap_start_tls_s() (in libldap:open.c line 254) as follows: 
>        ld->ld_options.ldo_defludp->lud_scheme = LDAP_STRDUP( "ldaps" ); 

This is not the way to do LDAP over SSL.  The application should use
ldap_set_option() and/or ldap_initialize() to set the appropriate
URI(s) for the session.  [See tools/ldap*.c on HEAD branch]

>3) Fix an appearent bug (have already reported to its): 
>   At line 262 in libldap:open.c change 
>        if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0) 
>   to 
>        if (ldap_pvt_tls_inplace(lc->lconn_sb) == 0) 

This is caused by your introduction of change 2.  It's not a bug.

>4) Disable the remainder of the for loop at lines 265-277 in libldap:open.c.  These issue the StartTLS extended operation which iPlanet doesn't support. 

That, of course, removes the functionality for which the routine was
specifically designed to provide.

If you want to do LDAPS, then create a session such that the associated URI
is of the scheme "ldaps".  Don't muck with ldap_start_tls_s().

>ldapsearch -x -h iplanethost -p 636 -s base -b "" -ZZ

This says
        "Connect to iplanethost on port 636, issue the LDAP Start TLS exop, ..."

and is equivalent to:
        ldapsearch -x -H ldap://iplanethost:636 -ZZ -s base -b ""

This, of course, isn't what you want... the application should not be able
to complete the search.  You want:
        ldapsearch -x -H ldaps://iplanethost -s base -b ""

which says:
        "Connect to iplanethost on port 636 (ldaps:// default), initiate SSL, ..."

Though both are designed to provide security services, they use quite
different mechanisms.  We intend for 2.0 to support both.... hence the
changes I've made to the HEAD branch.  Please test these changes.