[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_set_option

To: Sangita Mohan <sangitam@qualcomm.com>
Subject: Re: ldap_set_option
From: Howard Chu <hyc@symas.com>
Date: Thu, 12 May 2005 13:58:21 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <6.2.3.0.2.20050512130636.04f81438@unixmail.qualcomm.com>
References: <6.2.3.0.2.20050511163330.054c7298@unixmail.qualcomm.com> <4282A8AE.4040903@symas.com> <6.2.3.0.2.20050512130636.04f81438@unixmail.qualcomm.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050508

Sangita Mohan wrote:

At 05:51 PM 5/11/2005, Howard Chu wrote:
Sangita Mohan wrote:
I am working on authentication via SSL. I am using the ldap_set_option to set the path to the certificate file. I am able to successfully authenticate when using the

int rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "C:\\Cert.cer");

I also noticed the option LDAP_OPT_X_TLS_CACERTDIR. However it fails when used by itself. I am having to set a dummy LDAP_OPT_X_TLS_CACERTFILE before setting LDAP_OPT_X_TLS_CACERTDIR. Is this correct?
Just use the CACERTFILE. See the ldap.conf(5) manpage for information on the CACERTDIR. For most sites it is useless.
Thanks for the quick response. I understand that if the server certificate is already trusted, I can set the path to the certificate file. I am looking at the scenario of a server certificate that is not trusted but the user would like to add the certificate to the list of trusted certificates and proceed with the LDAP query. I don't see any API to get the actual certificate information to add it to my list of trusted certificates and proceed. I see the option TLS_REQCERT that would allow me to proceed with the query if the certificate is not trusted. However is there any API that would allow me to see the certificate information to make sure it is trusted and add it to my trusted database?

Just to be clear, you're referring to trusted server certificates, but you should be talking about trusted CA certificates here, since those are what the CACERTDIR and CACERTFILE options are for. Clients should not be building lists of trusted servers at all. It seems to me that your questions would best be answered by reading some documentation on SSL/TLS, then after you've gained some high level understanding of how those mechanisms work, you can look at the OpenSSL API documentation to get specific details. None of this is particular to OpenLDAP software.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: ldap_set_option
  - From: Sangita Mohan <sangitam@qualcomm.com>

References:
- ldap_set_option
  - From: Sangita Mohan <sangitam@qualcomm.com>
- Re: ldap_set_option
  - From: Howard Chu <hyc@symas.com>
- Re: ldap_set_option
  - From: Sangita Mohan <sangitam@qualcomm.com>

Prev by Date: slapd fails to start after reboot
Next by Date: Re: Sync Replication
Index(es):
- Chronological
- Thread