[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: C coding secured LDAP

To work with secure LDAP following stuff is required:
1. Server must be running with certificates installed on server. Check TLS options in slapd.conf
2. The CA certificate must be present on Client side, which can verify the sever certificate during SSL handshake.
3. If server has intermediate certificate then client must have all the intermediate CA certificate to verify the server certificate.
Now point 1,
How to install server on secure port ie 636: Example is OpenLDAP server
slapd.conf must have following TLS directives:
TLSCertificateFile /root/Digambar/intermediate_try/userCert.pem
TLSCertificateKeyFile /root/Digambar/intermediate_try/new.cert.key
TLSCACertificateFile /root/Digambar/intermediate_try/cacert.pem

Use following to create CA and server cetrificates:

A. /usr/share/ssl/misc/CA -newca

To creat server cert request
B openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

To sign the server cert
C. /usr/share/ssl/misc/CA -sign

Start the server as : /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &

This will start secure LDAP.

Now to verify that the above stuff is working: try following from some another host:

i. copy the ca-certificate file to the host.

ii. Edit the /etc/ldap.conf with TLS_CACERT with the ca-cert path.

iii. Try with ldapsearch -x -H ldaps://server-FQDN-hostname:636 -b "dc=my-domain,dc=com"

If this goes throu then it will indicate that the server is installed properly.


Now Try to do ldapsearch using C program:

 LDAP        *pLdapObj              = NULL;

 ldap_initialize(&pLdapObj, ldaps://server-FQDN-hostname:636);

  ldap_set_option( pLdapObj, LDAP_OPT_PROTOCOL_VERSION, &ldapversion);
  ldap_set_option( pLdapObj, LDAP_OPT_NETWORK_TIMEOUT, (void *)&stTimeoutVal);
  ldap_set_option( pLdapObj, LDAP_OPT_TIMELIMIT, (void *)&stTimeLimit);
 ldap_set_option( pLdapObj, LDAP_OPT_SIZELIMIT, (void *)&(LdapSizeLimit));

ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, aucServerCertFileName);// specify the CA certificate file path which was copied on the client side.

// After this try whatever operation you want to try like ldap_searcg or ldap_bind etc

Let me know if you want help somewhere.


Digambar Sawant


On 4/2/08, Arkady Shoyhet <Arkady.Shoyhet@aladdin.com> wrote:


I have to implement SSL LDAP communication using standard LDAP C API.

I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G.

Can you reference me to some code examples ?

Thanks in advance,

Arkady Shoyhet

The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the
sender immediately and do not disclose the contents to anyone or make copies.
** eSafe scanned this email for viruses, vandals and malicious content **