cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: LDAPS support

From: Tim Tassonis <timtas_at_cubic.ch>
Date: Thu, 23 Aug 2007 16:12:18 +0200

Guenter Knauf wrote:
> Hi all,
> it seems that with my first tests with ldaps and Novell SDK I saw the best ldaps support;
> but now after I have really read a lot of mailing list and forum posts I can only 100% agree that ldaps is a real pain with all other SDKS, at least when you want to connect without trusted CA.
> So the status of the ldaps support I introduced is currently:
> - Fully working without CA cert on NetWare and Win32 build with Novell CLDAP SDK
> - Probably working on Cygwin and Linux with OpenLDAP SDK (not checked yet if data is really encrypted, but it connects to 636 with current code)
> - Probably working on Win32 with M$ LDAP SDK if a CA is stored in local key store
> - Probably working on Win32 / Linux / Solaris build with Mozilla SDK if a cert7.db file is specified.
>
> I've read at many many places exactly same error messages as I got;
> also came over non-matching docs with the APIs, etc...

In another project I did ldaps with openldap and it's not terribly
complicated (you need to specify the connection as an ldaps://ddd url).
Disabling ca check is also easily configurable. If there is interest, I
can provide the code. It's really no big deal and works fine.

P.S.: You don't need the ldap_ssl.h header, it's all in the ldap.h header.

Bye
Tim

>
> So what now needs to be tested further:
> - does current code with OpenLDAP really encrypt? At least it connects now fine with ldaps.
> - does current code work _with_ CA certs?
>
> in order to test the last point its now needed that I get somehow the values of these switches into the ldap.c code which curl can set:
>
> -k/--insecure Allow connections to SSL sites without certs (H)
> --cert-type <type> Certificate file type (DER/PEM/ENG) (SSL)
> --cacert <file> CA certificate to verify peer against (SSL)
> --capath <directory> CA directory (made using c_rehash) to verify
> peer against (SSL)
>
> sorry, but due to all the reading/searching reagarding proper API usage I have not digged enough through curl/libcurl to find out how I can access these values.
>
> Any help with that GREATLY welcome!
>
> Guen.
>
> PS: I've not yet commited the modification needed for Mozilla LDAP SDK support.
>
>
Received on 2007-08-23

This message: [ Message body ]
Next message: Emil Romanus: "Re: strequal() doesnt like NULL"
Previous message: Patrick Monnerat: "RE: Porting to OS/400: 4th patch release"
In reply to: Guenter Knauf: "LDAPS support"
Next in thread: Guenter Knauf: "Re: LDAPS support"
Reply: Guenter Knauf: "Re: LDAPS support"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]