well its just a standard ldap operation like the rest of them. docs explain how to init ssl session between ldap client and server in this case, after init is done you can start issuing requests on that handle and they go over ssl instead of plain.
Sridhar Bandi wrote:
Hello Anton,
Thanks for the reponse, but I haven't seen any mention of using ldap_simple_bind_s(DN/Password) over SSL connection.
Can you please point me to the right doc.
Thanks, Bandi
Anton Bobrov wrote:
Thanks for the quick reply and the pointer to the 5.11 csdk. I started out with the 5.0.8 download which doens't supply nssckbi.dll nor any of the nss utilities. I guess that's how I ended up going down the path of building NSS and all that other work I did.
unfortunately we cannot possibly supply everything and squeeze all the stuff one might need into ldap c sdk package. nss tools are well maintained and you can get them from mozilla.org site as well as all required libs for the tools. they [tools & libs] are also part of our Directory Server package our ldap c sdk is targeted at. perhaps its a good idea to mention it in the docs.
BTW, how does the CSDK determine which ciphers are allowed?
nss default set. see NSS_SetDomesticPolicy() http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1228530 you can use nss api to tweak stuff like that ie SSL_CipherPolicySet() http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1104647 note that we used to enable/disable certain ciphers for SSLv2 in 4.x but now SSLv2 is disabled by default from our code for security reasons.
I'm going to strip that code out and try again with the 5.11 sdk and see what happens.
Thanks again! Jeff
[EMAIL PROTECTED] wrote: -----
To: [EMAIL PROTECTED] From: "Anton Bobrov" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] Date: 01/31/2005 10:27AM cc: "Sridhar Bandi" <[EMAIL PROTECTED]>, [email protected] Subject: Re: using ldap_simple_bind_s() over ssl connection.
Jeff,
i can only speak for Sun version of LDAP C SDK here which is the same codebase as Mozilla version but they are not in sync for quite some time now :( so keep that in mind when reading my comments below.
For instance, you'll need nssckbi.dll (for the root certs), which comes
from NSS, not the C-SDK.
So you have to find the same version of NSS that the C-SDK was linked against (3.2.2).
we ship all required libs as part of our SDKs.
You need to call NSS_Init(), then set your crypto policies and enable the set of ciphers of your choosing.
you dont have to do that. SDK will take care of that for you. again read the docs i mentioned, its all there.
For NSS_Init to work, you need the cert and key databases...the docs say to use keyutil, but after a week of fruitless searching, you'll find out that it's been superceeded by certutil.
i dont recall seeing anything like that in our docs. please point exact location in the docs if something is outdated and i will file a bug to get it fixed.
you have that done, you'll get a crash in NSS_Init with a bad ptr passed to PR_Free (at least I did - n.b. on Win2k).
well as i said you dont have to go there and if you do you need to make sure you know what you doing :)
Pardon me if I sound cranky, it's Monday and I've been at this for a week and a half now :)
i understand that. download 5.08 or 5.11 [extract it from DSRK] from http://www.sun.com/download/index.jsp?cat=Application%20Development&tab=3#sdk
in "SDKs (Software Development Kits)" section. they quite old but we are working on pushing newer versions there as well, stay tuned.
Does anyone know if I can drop in NSS3.9 in place of the ancient 3.2.2 the C-SDK uses with no ill effect?
yes you can. have a look at NSS release notes. db format changes probably the major issue you gonna hit, apart from that it works.
ta, anton.
[EMAIL PROTECTED] wrote: -----
To: "Sridhar Bandi" From: "Anton Bobrov" Sent by: [EMAIL PROTECTED] Date: 01/31/2005 06:13AM cc: [email protected] Subject: Re: using ldap_simple_bind_s() over ssl connection.
yes, see http://docs.sun.com/source/817-6707/ssl.htmlfordetails.
Sridhar Bandi wrote: > Greetings to everyone, > > we want an authenticated secure channel b/w the client and the LDAP server, > however we don't have the certificate setup for the > client(no client side authentication) but just a DN and password for the > client to authenticate itself to the server. The LDAP server is setup > for the SSL connection. > > So is it allowed/safe to initialize an SSL connection using: > ldapssl_client_init() > ldapssl_init() > > and then use the simple authentication using: > ldap_simple_bind_s(DN/Password) > > If this is allowed, does the DN/password of the client go over
the
> encrypted channel b/w the client and the server? And does all the > communication happen in encrypted form when this LDAP handle is used? > > > thanks for all your support. > > Best Regards, > Bandi > _______________________________________________ > mozilla-directory mailing list > [email protected] > http://mail.mozilla.org/listinfo/mozilla-directory _______________________________________________ mozilla-directory mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-directory
===========================================================
The information in this email is confidential, and is intended solely for the addressee(s). Access to this email by anyone else is unauthorized and therefore prohibited. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful.
===========================================================
_______________________________________________ mozilla-directory mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-directory
===========================================================
The information in this email is confidential, and is intended solely for the addressee(s). Access to this email by anyone else is unauthorized and therefore prohibited. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful.
===========================================================
_______________________________________________ mozilla-directory mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-directory
_______________________________________________ mozilla-directory mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-directory
_______________________________________________ mozilla-directory mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-directory
