>> With the API's ldapssl_set_client_cert() and
>> ldapssl_set_client_private_key()
>
>Can you do this after ldap_init()?
I don't know for sure but as you described it below, it sounds
reasonable. As long as ldapssl_init (, , 0) is called for an unsecure
connection, my guess would be that as long as you called
ldapssl_start_tls() after the calls to ldapssl_set_client_cert() and
ldapssl_set_client_private_key(), it should work fine. But I would have
to try it to be sure.
Brad
>>> Graham Leggett <[EMAIL PROTECTED]> Thursday, January 06, 2005 12:44
PM >>>
Brad Nicholes wrote:
>>How are client certificates specified within the Novell toolkit?
> With the API's ldapssl_set_client_cert() and
> ldapssl_set_client_private_key()
Can you do this after ldap_init()?
My thinking is to teach apr_ldap_set_option(ld,
APR_LDAP_OPT_TLS_*CERT*,
cert|key) to do this:
apr_ldap_set_option(ld, option, value) {
if (toolkit == novell) {
if (option = set-client-cert) {
ldapssl_set_client_cert()
return
}
if (option == set-client-key) {
ldapssl_set_client_private_key()
return
}
if (option == set-tls-to-start-tls) {
ldapssl_start_tls()
return
}
}
if (toolkit == microsoft) {
do microsoft flavoured stuff
return
}
// else default to simple setting of options
ldap_set_option(option, value)
}
This causes the Novell toolkit and Microsoft toolkit to behave like the
OpenLDAP toolkit, which has the cleanest interface out of all of them.
First you do apr_ldap_init(...secure = 0...), then you do
apr_set_option() for clients certs and starttls/ssl, then you do
ldap_bind().
The secure flag in apr_ldap_init() can be for legacy toolkits that
cannot support upgrading the connection after the fact, but my research
so far hasn't uncovered any toolkit where this is a problem.
Regards,
Graham
--
