Re: reg ldap over ssl

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Tue, 1 Jul 2008, prasanth allada wrote:
> i am trying to start an ldap connection over SSL
>
> my code goes like this.
>
> ldap_init(host,LDAPS_PORT);
> ldap_set_option()
> ldap_start_tls_s(handle,null,null);
>
> when i call the ldap_start_tls_s() i get an error saying tat it cant 
> contact the ldap server.

Right, because ldap_start_tls_s() performs the LDAP start TLS operation, 
but for ldaps the client is supposed to simply negotiate TLS/SSL upon 
connection, without sending an LDAP operation first.

The Right Thing is to stop using ldap_init() and instead use 
ldap_initialize(), passing it an URI of "ldaps://hostname".

(Note that it'll automatically use port 636 when the URI schema is 
"ldaps", just as it'll automatically use port 389 when the schema is 
"ldap".)


> i have the CA certificate and the server certificate.
> Can you tell me which certificate should i use in the code.

The client only needs the CA certificate.  Set the 
LDAP_OPT_X_TLS_CACERTFILE option to the path to the PEM file, or set the 
LDAP_OPT_X_TLS_CACERTDIR option to a directory holding the PEM file with 
hashed paths.  (Check out the docs for SSL_CTX_load_verify_locations() for 
the details of the hashing.)

Note that in versions before 2.4.0, those are *global* options: 
ldap_set_option() *must* be passed a NULL LDAP handle when setting them. 
As of 2.4.0 they're per-LDAP-handle only and must be set on each handle 
you create.


Philip Guenther