[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL in OpenLDAP 2.0 gamma clients

Title: RE: TLS/SSL in OpenLDAP 2.0 gamma clients

> Likely.  You can examine their root DSE to see if the Start
> TLS request
> OID is listed in supportedExtension.

No, it's not listed.  :-(

> >The LDAPS is what I really wanted to do anyway. 
> Unfortunately, the -h option to ldapsearch is for host names
> only, not for URLs (this arg is passed unmodified to
> ldap_init(), which wants a hostname).
> Well, that's the way I thought it was suppose to work (I don't use
> ldaps:// myself).  Report it as a bug using the Issue Tracking System
> (http://www.openldap.org/its/).
>         Kurt

I think it is more of a feature request then a bug.  All other implementations of ldapsearch (cmd line tool) that I have looked at don't support the URL method.

FYI, I was able to make LDAPS work with gamma to an iPlanet server with the following modifications (i.e., hacks):
1) Set tls_opt_cacertfile (global defined in libldap:tls.c line 40) to my CA's certificate (which happens to be my own private CA).

2) Force LDAPS scheme at the beginning of ldap_start_tls_s() (in libldap:open.c line 254) as follows:
        ld->ld_options.ldo_defludp->lud_scheme = LDAP_STRDUP( "ldaps" );
3) Fix an appearent bug: At line 262 in libldap:open.c change
        if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
        if (ldap_pvt_tls_inplace(lc->lconn_sb) == 0)
4) Disable the remainder of the for loop at lines 265-277 in libldap:open.c.  These issue the StartTLS extended operation which iPlanet doesn't support.

Thanks for the help,