After getting it working I have one more question. Currently I am
setting the path to the CACERT file manually.
Is it possible to read the certificate from a different source, such as
a database or external io stream. Having to configure a seperate file
for my application is not so nice.
Would it be possible to switch certificate validation off maybe ?
Ideally I would like to be able to connect to any LDAP / LDAPS directory
without having to configure files outside my application.
Thanks
Alex
Alexander Hartner wrote:
Thanks Kurt,
I have it working now. Even though the example is in ObjectiveC, it
might be helpful to other.
if ([connectionDetail sslEnabled])
{
NSString * url = [NSString stringWithFormat:@"ldaps://%@:%@
",hostname,[port stringValue]];
NSLog(@"Using SSL URL : [EMAIL PROTECTED]",url);
ldap_initialize(&ldap,[url cString]);
}
else
{
NSString * url = [NSString stringWithFormat:@"ldap://%@:%@
",hostname,[port stringValue]];
NSLog(@"Using URL : [EMAIL PROTECTED]",url);
ldap_initialize(&ldap,[url cString]);
}
ldap_perror(ldap, "LDAP INITIALISED");
const int ldap_version=LDAP_VERSION3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
&ldap_version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
if ([connectionDetail sslEnabled])
{
e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE,
"/etc/openldap/ cacert.pem");
ldap_perror(ldap, "SETTING CACERTIFICATE FILE");
ldap_start_tls_s(ldap, NULL, NULL);
ldap_perror(ldap, "LDAP STARTING TLS");
}
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
ldap_perror(ldap, "LDAP BOUND");
char * errorMessage = ldap_err2string(e);
Tx
Alexander Hartner
[EMAIL PROTECTED]
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
On 18 Mar 2006, at 15:39, Kurt D. Zeilenga wrote:
At 01:00 AM 3/18/2006, you wrote:
Hi Kurt,
I tried to look for the man pages, but can't find them anywhere.
They don't seem to be included on OS X, Gentoo or the website.
[]
I had a look at the examples (clients/tools) and I modified my
code. I hope I have the sequence right ? I call the following
function as follows:
1.)ldap_init
2.)ldap_set_options (Version 3,... ) I think I need to set the
CACERTFILE here. But I don't know what option to set. I am also
hoping for an option to accept self signed certificates without
having to specify a CA.
3.)ldap_start_tls_s
4.)ldap_simple_bind_s
It doesn't work yet, because I don't know what options to set. If
you have the man pages could you please email them to me.
Thanks for your help
Alexander Hartner
<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
On 18 Mar 2006, at 04:46, Kurt D. Zeilenga wrote:
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.
- Kurt
At 03:56 PM 3/17/2006, Alexander Hartner wrote:
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it
breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
&version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString], [password
cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
The error reported is :
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
This is a form letter. Due to the volume of email I receive, I
cannot personally respond to each message directed to my mailbox.
If your message concerns the use of OpenLDAP Software, I suggest
that you post your message to the most appropriate mailing list
(which is not necessarily an OpenLDAP mailing list).
http://www.openldap.org/lists/
If your message is a general LDAP question, I suggest you use
the U-Mich LDAP mailing list <[email protected]>.
I do often answer questions that are asked in public forums. I
do this for the benefit of the community. As taking discussions
off list only affords the enquirer the benefit of my response,
I ask that you ask whatever follow-up questions you might have
in the public forum.
Regards, Kurt
