Rich Megginson wrote:
> Saurabh Chopra wrote:
>> Hi
>>
>> I arrived at the conclusion that the function "ldapssl_client_init"
>> isn't working for my code, if I use LDAP SDK 6.0 binaries. But if I use
>> the old LDAP 5.2 binaries, it works fine.
>> Here is a sample code that I used to compile it on RHAS 3.0 (also
>> attached with mail):
>>
>> #include <ldap.h>
>> #include <ldap_ssl.h>
>> #include <stdio.h>
>> /* Initialize client, using mozilla's certificate database */
>>
>> int main(void) {
>> /* "/home/infwaer/test/" is the folder that contains cert7.db and
>> key3.db*/
>>
>> if(ldapssl_client_init( "/home/infwaer/test/", NULL ) < 0) {
>> printf( "Failed to initialize SSL client...\n" ); return( 1 ); }
>> else
>> printf( "Initialized SSL client...\n" );
>> }
>>
>> I used the following command to compile it with 5.2 binaries, and was
>> able to successfully call the function ldapssl_client_init:
>>
>> gcc ldapclient.c -I/home/infwaer/nsldap/5.2/RHAS3.0/include
>> -L/home/infwaer/saurabh_review/lib -lldap50 -lnspr4 -lplds4 -lplc4
>> -lsoftokn3 -lnss3 -lssl3 -lprldap50 -lssldap50 -ldigestmd5 -lsasl
>>
>> But when I compiled it using 6.0 binaries using the same command:
>> gcc ldapclient.c -I/home/infwaer/nsldap/6.0/RHAS3.0/include
>> -L/home/infwaer/saurabh_review/lib -lldap60 -lnspr4 -lplds4 -lplc4
>> -lsoftokn3 -lnss3 -lssl3 -lprldap60 -lssldap60 -ldigestmd5 -lsasl
>>
>> It gave the error "failed to initialize" (as written in the code !)
>>
>> Please help me out; n let me know if it is a known issue with LDAP SDK
>> 6.0
This may be a bug in the 6.0 code. If /home/infwaer/test already
contains cert8.db and key3.db, the code works fine. However, if the
key/cert db do not already exist, ldapssl_client_init returns -1. It
may stem from the NSS_Initialize code:
NSS_Initialize(confDir,certdbPrefix,keydbPrefix,
secmoddbpath, NSS_INIT_READONLY)
NSS_INIT_READONLY may cause NSS not to create the files if they don't
exist. But this hasn't changed since 2002 - we've used the readonly
option since then, and maybe before then too. So that covers most of
the 5.x releases. I'm using a very recent NSS (3.11.4).
The workaround is easy - just create your key/cert databases first,
using certutil:
certutil -N -d /home/infwaer/test
or just copy cert8.db and key3.db from mozilla/firefox.
I think the real fix will be to first check to see if cert8/key3 exist,
then NSS_Initialize in readwrite mode if they do not exist. In general
this is problematic with NSS because AFAIK there is no way to tell
NSS_Initialize to report an error if the key/cert db do not exist, or to
tell NSS_Initialize to open in readonly mode, but create the key/cert db
if they do not exist.
>
> It is not a known issue - SSL/TLS works fine with the 6.0 code. I
> suggest starting with the source code for the command line programs,
> especially common.c which contains the SSL/TLS connection code common to
> all of the clients -
> http://lxr.mozilla.org/mozilla/source/directory/c-sdk/ldap/clients/tools/common.c#962
>
>
>
>>
>> Thanks
>> Saurabh
>>
>>
>> -----Original Message-----
>> From: Rich Megginson [mailto:[EMAIL PROTECTED] On Behalf Of Rich
>> Megginson
>> Sent: Friday, March 23, 2007 7:49 PM
>> To: Saurabh Chopra
>> Cc: [EMAIL PROTECTED]; [email protected]
>> Subject: Re: Help needed on LDAP 6.0 SDK
>>
>> Saurabh Chopra wrote:
>>> Hi
>>>
>>> I just get the error that the User Directory could not be contacted.
>>
>> Can you post the exact error message or error codes? What is the
>> application? Have you tried to use the ldapsearch command line tool?
>>
>>> When I earlier used LDAP 5.2 binaries, it worked absolutely fine. But
>>> after having upgraded to LDAP SDK 6.0.2, I have not been able to use
>> SSL
>>> over LDAP Directory Server. The nss version I used is 3.11.4 and nspr
>>> version is 4.6.
>>> I tried generating cert8.db using Mozilla Firefox 2.0, but the problem
>>> persists. Please help.
>>>
>>> Thanks
>>> Saurabh
>>>
>>> -----Original Message-----
>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>>> Sent: Thursday, March 22, 2007 9:36 PM
>>> To: Saurabh Chopra
>>> Cc: [email protected]
>>> Subject: Re: Help needed on LDAP 6.0 SDK
>>>
>>>
>>> Saurabh Chopra wrote:
>>>
>>>> I used pre-built LDAP SDK 6.0 binaries and have been able to connect
>>> to
>>>> LDAP interface. But I am facing problems with connectivity over SSL.
>>> what problems exactly ? any error messages / return codes etc you can
>>> provide here ?
>>>
>>>> Has it got something to do with cert7.db and key3.db? I dragged and
>>>> dropped my Certifying Authority's root certificate into Netscape
>>> Browser
>>>> 476, and generated the cert7.db. Do I need to use a newer version of
>>>> Netscape for the same?
>>> as Rich already mentioned NSS moved to new secdb format and now it is
>>> cert8 which is incompatible with cert7 but NSS should create cert8 by
>>> default automatically and use new db instead. to manage secdb you need
>>> NSS sectools you can get from location Rich has mentioned, for usage &
>>> help on them see
>> http://www.mozilla.org/projects/security/pki/nss/tools/
>>> **************** CAUTION - Disclaimer *****************
>>> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended
>> solely for the use of the addressee(s). If you are not the intended
>> recipient, please notify the sender by e-mail and delete the original
>> message. Further, you are not to copy, disclose, or distribute this
>> e-mail or its contents to any other person and any such actions are
>> unlawful. This e-mail may contain viruses. Infosys has taken every
>> reasonable precaution to minimize this risk, but is not liable for any
>> damage you may sustain as a result of any virus in this e-mail. You
>> should carry out your own virus checks before opening the e-mail or
>> attachment. Infosys reserves the right to monitor and review the content
>> of all messages sent to or from this e-mail address. Messages sent to or
>> from this e-mail address may be stored on the Infosys e-mail system.
>>> ***INFOSYS******** End of Disclaimer ********INFOSYS***
>>
>
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
