I'm doing this exact process at the moment and I'd like to point out that the following excerpt from http://docs.sun.com/source/817-6707/ssl.htmlfor is a rat-hole:
| "Note | You need to initialize your client before initializing the LDAP session. The process of initializing the client opens the certificate database. " |
For instance, you'll need nssckbi.dll (for the root certs), which comes from NSS, not the C-SDK. So you have to find the same version of NSS that the C-SDK was linked against (3.2.2). You need to call NSS_Init(), then set your crypto policies and enable the set of ciphers of your choosing. For NSS_Init to work, you need the cert and key databases...the docs say to use keyutil, but after a week of fruitless searching, you'll find out that it's been superceeded by certutil. Once you have that done, you'll get a crash in NSS_Init with a bad ptr passed to PR_Free (at least I did - n.b. on Win2k). And to debug that, you need symbols... which means building from source (I've just finished that step). Pardon me if I sound cranky, it's Monday and I've been at this for a week and a half now :)
Does anyone know if I can drop in NSS3.9 in place of the ancient 3.2.2 the C-SDK uses with no ill effect?
[EMAIL PROTECTED] wrote: -----
To: "Sridhar Bandi" <[EMAIL PROTECTED]>
From: "Anton Bobrov" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
Date: 01/31/2005 06:13AM
cc: mozilla-directory@mozilla.org
Subject: Re: using ldap_simple_bind_s() over ssl connection.
yes, see http://docs.sun.com/source/817-6707/ssl.htmlfor details.
Sridhar Bandi wrote:
> Greetings to everyone,
>
> we want an authenticated secure channel b/w the client and the LDAP server,
> however we don't have the certificate setup for the
> client(no client side authentication) but just a DN and password for the
> client to authenticate itself to the server. The LDAP server is setup
> for the SSL connection.
>
> So is it allowed/safe to initialize an SSL connection using:
> ldapssl_client_init()
> ldapssl_init()
>
> and then use the simple authentication using:
> ldap_simple_bind_s(DN/Password)
>
> If this is allowed, does the DN/password of the client go over the
> encrypted channel b/w the client and the server? And does all the
> communication happen in encrypted form when this LDAP handle is used?
>
>
> thanks for all your support.
>
> Best Regards,
> Bandi
> _______________________________________________
> mozilla-directory mailing list
> mozilla-directory@mozilla.org
> http://mail.mozilla.org/listinfo/mozilla-directory
_______________________________________________
mozilla-directory mailing list
mozilla-directory@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-directory
===========================================================
The information in this email is confidential, and is intended solely for the addressee(s). Access to this email by anyone else is unauthorized and therefore prohibited. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful.
===========================================================
