Hi Anton, Thanks for the quick reply and the pointer to the 5.11 csdk. I started out with the 5.0.8 download which doens't supply nssckbi.dll nor any of the nss utilities. I guess that's how I ended up going down the path of building NSS and all that other work I did.
BTW, how does the CSDK determine which ciphers are allowed? I'm going to strip that code out and try again with the 5.11 sdk and see what happens. Thanks again! Jeff [EMAIL PROTECTED] wrote: ----- To: [EMAIL PROTECTED] From: "Anton Bobrov" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] Date: 01/31/2005 10:27AM cc: "Sridhar Bandi" <[EMAIL PROTECTED]>, mozilla-directory@mozilla.org Subject: Re: using ldap_simple_bind_s() over ssl connection. Jeff, i can only speak for Sun version of LDAP C SDK here which is the same codebase as Mozilla version but they are not in sync for quite some time now :( so keep that in mind when reading my comments below. > For instance, you'll need nssckbi.dll (for the root certs), which comes > from NSS, not the C-SDK. > So you have to find the same version of NSS > that the C-SDK was linked against (3.2.2). we ship all required libs as part of our SDKs. > You need to call NSS_Init(), > then set your crypto policies and enable the set of ciphers of your > choosing. you dont have to do that. SDK will take care of that for you. again read the docs i mentioned, its all there. > For NSS_Init to work, you need the cert and key > databases...the docs say to use keyutil, > but after a week of fruitless > searching, you'll find out that it's been superceeded by certutil. i dont recall seeing anything like that in our docs. please point exact location in the docs if something is outdated and i will file a bug to get it fixed. > you have that done, you'll get a crash in NSS_Init with a bad ptr passed > to PR_Free (at least I did - n.b. on Win2k). well as i said you dont have to go there and if you do you need to make sure you know what you doing :) > Pardon me if I sound cranky, it's Monday and I've been at this > for a week and a half now :) i understand that. download 5.08 or 5.11 [extract it from DSRK] from http://www.sun.com/download/index.jsp?cat=Application%20Development&tab=3#sdk in "SDKs (Software Development Kits)" section. they quite old but we are working on pushing newer versions there as well, stay tuned. > Does anyone know if I can drop in NSS3.9 in place of the ancient 3.2.2 > the C-SDK uses with no ill effect? yes you can. have a look at NSS release notes. db format changes probably the major issue you gonna hit, apart from that it works. ta, anton. > [EMAIL PROTECTED] wrote: ----- > > To: "Sridhar Bandi" > From: "Anton Bobrov" > Sent by: [EMAIL PROTECTED] > Date: 01/31/2005 06:13AM > cc: mozilla-directory@mozilla.org > Subject: Re: using ldap_simple_bind_s() over ssl connection. > > yes, see http://docs.sun.com/source/817-6707/ssl.htmlfordetails. > > Sridhar Bandi wrote: > > Greetings to everyone, > > > > we want an authenticated secure channel b/w the client and the > LDAP server, > > however we don't have the certificate setup for the > > client(no client side authentication) but just a DN and > password for the > > client to authenticate itself to the server. The LDAP server is > setup > > for the SSL connection. > > > > So is it allowed/safe to initialize an SSL connection using: > > ldapssl_client_init() > > ldapssl_init() > > > > and then use the simple authentication using: > > ldap_simple_bind_s(DN/Password) > > > > If this is allowed, does the DN/password of the client go over the > > encrypted channel b/w the client and the server? And does all the > > communication happen in encrypted form when this LDAP handle is > used? > > > > > > thanks for all your support. > > > > Best Regards, > > Bandi > > _______________________________________________ > > mozilla-directory mailing list > > mozilla-directory@mozilla.org > > http://mail.mozilla.org/listinfo/mozilla-directory > _______________________________________________ > mozilla-directory mailing list > mozilla-directory@mozilla.org > http://mail.mozilla.org/listinfo/mozilla-directory > > > =========================================================== > > The information in this email is confidential, and is intended solely > for the addressee(s). Access to this email by anyone else is > unauthorized and therefore prohibited. If you are not the intended > recipient you are notified that disclosing, copying, distributing or > taking any action in reliance on the contents of this information is > strictly prohibited and may be unlawful. > > =========================================================== > _______________________________________________ mozilla-directory mailing list mozilla-directory@mozilla.org http://mail.mozilla.org/listinfo/mozilla-directory =========================================================== The information in this email is confidential, and is intended solely for the addressee(s). Access to this email by anyone else is unauthorized and therefore prohibited. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. =========================================================== _______________________________________________ mozilla-directory mailing list mozilla-directory@mozilla.org http://mail.mozilla.org/listinfo/mozilla-directory