Hello Anton, Thanks for the reponse, but I haven't seen any mention of using ldap_simple_bind_s(DN/Password) over SSL connection. Can you please point me to the right doc.
Thanks, Bandi Anton Bobrov wrote: > > > Thanks for the quick reply and the pointer to the 5.11 csdk. I started out > > with the 5.0.8 download which doens't supply nssckbi.dll nor any of the nss > > utilities. I guess that's how I ended up going down the path of building > > NSS and all that other work I did. > > unfortunately we cannot possibly supply everything and squeeze > all the stuff one might need into ldap c sdk package. nss tools > are well maintained and you can get them from mozilla.org site > as well as all required libs for the tools. they [tools & libs] > are also part of our Directory Server package our ldap c sdk is > targeted at. perhaps its a good idea to mention it in the docs. > > > BTW, how does the CSDK determine which ciphers are allowed? > > nss default set. see NSS_SetDomesticPolicy() > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1228530 > you can use nss api to tweak stuff like that ie SSL_CipherPolicySet() > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1104647 > note that we used to enable/disable certain ciphers for SSLv2 in 4.x > but now SSLv2 is disabled by default from our code for security reasons. > > > > > I'm going to strip that code out and try again with the 5.11 sdk and see > > what happens. > > > > Thanks again! > > Jeff > > > > > > > > > > > > > > [EMAIL PROTECTED] wrote: ----- > > > > > > To: [EMAIL PROTECTED] > > From: "Anton Bobrov" <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > Date: 01/31/2005 10:27AM > > cc: "Sridhar Bandi" <[EMAIL PROTECTED]>, mozilla-directory@mozilla.org > > Subject: Re: using ldap_simple_bind_s() over ssl connection. > > > > Jeff, > > > > i can only speak for Sun version of LDAP C SDK here which is > > the same codebase as Mozilla version but they are not in sync > > for quite some time now :( so keep that in mind when reading > > my comments below. > > > > > >>For instance, you'll need nssckbi.dll (for the root certs), which comes > >>from NSS, not the C-SDK. > >>So you have to find the same version of NSS > >>that the C-SDK was linked against (3.2.2). > > > > > > we ship all required libs as part of our SDKs. > > > > > >>You need to call NSS_Init(), > >>then set your crypto policies and enable the set of ciphers of your > >>choosing. > > > > > > you dont have to do that. SDK will take care of that for you. > > again read the docs i mentioned, its all there. > > > > > >>For NSS_Init to work, you need the cert and key > >>databases...the docs say to use keyutil, > >>but after a week of fruitless > >>searching, you'll find out that it's been superceeded by certutil. > > > > > > i dont recall seeing anything like that in our docs. please > > point exact location in the docs if something is outdated > > and i will file a bug to get it fixed. > > > > > >>you have that done, you'll get a crash in NSS_Init with a bad ptr passed > >>to PR_Free (at least I did - n.b. on Win2k). > > > > > > well as i said you dont have to go there and if you do you need > > to make sure you know what you doing :) > > > > > >>Pardon me if I sound cranky, it's Monday and I've been at this > >>for a week and a half now :) > > > > > > i understand that. download 5.08 or 5.11 [extract it from DSRK] from > > http://www.sun.com/download/index.jsp?cat=Application%20Development&tab=3#sdk > > > > in "SDKs (Software Development Kits)" section. they quite old but we > > are working on pushing newer versions there as well, stay tuned. > > > > > >>Does anyone know if I can drop in NSS3.9 in place of the ancient 3.2.2 > >>the C-SDK uses with no ill effect? > > > > > > yes you can. have a look at NSS release notes. db format changes > > probably the major issue you gonna hit, apart from that it works. > > > > > > > > ta, > > anton. > > > > > >>[EMAIL PROTECTED] wrote: ----- > >> > >> To: "Sridhar Bandi" > >> From: "Anton Bobrov" > >> Sent by: [EMAIL PROTECTED] > >> Date: 01/31/2005 06:13AM > >> cc: mozilla-directory@mozilla.org > >> Subject: Re: using ldap_simple_bind_s() over ssl connection. > >> > >> yes, see http://docs.sun.com/source/817-6707/ssl.htmlfordetails. > >> > >> Sridhar Bandi wrote: > >> > Greetings to everyone, > >> > > >> > we want an authenticated secure channel b/w the client and the > >> LDAP server, > >> > however we don't have the certificate setup for the > >> > client(no client side authentication) but just a DN and > >> password for the > >> > client to authenticate itself to the server. The LDAP server is > >> setup > >> > for the SSL connection. > >> > > >> > So is it allowed/safe to initialize an SSL connection using: > >> > ldapssl_client_init() > >> > ldapssl_init() > >> > > >> > and then use the simple authentication using: > >> > ldap_simple_bind_s(DN/Password) > >> > > >> > If this is allowed, does the DN/password of the client go over > > > > the > > > >> > encrypted channel b/w the client and the server? And does all the > >> > communication happen in encrypted form when this LDAP handle is > >> used? > >> > > >> > > >> > thanks for all your support. > >> > > >> > Best Regards, > >> > Bandi > >> > _______________________________________________ > >> > mozilla-directory mailing list > >> > mozilla-directory@mozilla.org > >> > http://mail.mozilla.org/listinfo/mozilla-directory > >> _______________________________________________ > >> mozilla-directory mailing list > >> mozilla-directory@mozilla.org > >> http://mail.mozilla.org/listinfo/mozilla-directory > >> > >> > >>=========================================================== > >> > >>The information in this email is confidential, and is intended solely > >>for the addressee(s). Access to this email by anyone else is > >>unauthorized and therefore prohibited. If you are not the intended > >>recipient you are notified that disclosing, copying, distributing or > >>taking any action in reliance on the contents of this information is > >>strictly prohibited and may be unlawful. > >> > >>=========================================================== > >> > > > > _______________________________________________ > > mozilla-directory mailing list > > mozilla-directory@mozilla.org > > http://mail.mozilla.org/listinfo/mozilla-directory > > > > > > =========================================================== > > > > The information in this email is confidential, and is intended solely for > > the addressee(s). Access to this email by anyone else is unauthorized and > > therefore prohibited. If you are not the intended recipient you are > > notified that disclosing, copying, distributing or taking any action in > > reliance on the contents of this information is strictly prohibited and may > > be unlawful. > > > > =========================================================== > > > _______________________________________________ > mozilla-directory mailing list > mozilla-directory@mozilla.org > http://mail.mozilla.org/listinfo/mozilla-directory _______________________________________________ mozilla-directory mailing list mozilla-directory@mozilla.org http://mail.mozilla.org/listinfo/mozilla-directory
