1)
Sunone
ldapsearch (default solaris ldapsearch does not work with ssl)
a) Create a dir for cert database (ex: /users/ss488/certs)
b) Use certutil to create the certdatabase
./certutil -N -d /users/ss488/certs/ -P LDAP
Where LDAP is just a prefix (http://docs.sun.com/source/816-6698-10/ssl.html#14365)
c) Copy ca.cert from CA to the directory you created in step a ( /users/ss488/certs)
d)./certutil -A -n "devmaster1Clt" -t "C,," -a -i /users/ss488/certs/ca.cert -d /users/ss488/certs/ -P LDAP
Testing client: Use Sunone's ldapsearch
./ldapsearch -h dev.directory.cornell.edu -b "ou=people,o=cornell university,c=us" -p 636 –3 -Z -P /users/ss488/certs/LDAPcert8.db
uid=ss488
Where LDAPcert8.db is the cert database created in step b
2)
Perl LDAPS
a) Create a dir for cert database (ex: /users/ss488/certs)
b) Copy ca.cert from CA to the directory you created in step a ( /users/ss488/certs)
c) cd /users/ss488/certs
d) ln -s ca.cert `/usr/local/ssl/bin/openssl x509 -hash -noout<ca.cert`.0
Perl code to add:
use Net::LDAPS;
my $ldap = Net::LDAPS->new('dev.directory.cornell.edu',port=>'636',verify=>'require',capath=>'/users/ss488/certs/')
#Host name verification
my($junk,$CN) = split('CN=',$ldap->certificate->subject_name);
if($CN =~ m/\*/){
($junk,$CN) = split('\*',$CN);
}
3)
Coldfusion 7.0 (Contributed by hy93)
You still use cfldap tag to retrieve data from directory via SSL port. You need to specify the secure attribute as "CFSSL_BASIC" in the cfldap tag and the secure LDAP port (636 by default).
Here is the example:
<cfldap
action="query"
name="results"
start="ou=People,dc=siroe,dc=com"
attributes="cn,sn,ou"
sort="cn"
server="myldapserver"
port="636"
password="mypassword"
username="cn=Directory Manager"
secure="CFSSL_BASIC">
Note: coldfusion 7.0 uses JRE 1.4 which has
problem with CA cert whose key is larger than 2048 bit.
4)
Java
a) Example code using JNDI:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://dev.directory.cornell.edu:636/c=US" );
env.put(Context.SECURITY_PRINCIPAL, "your bind ID");
env.put(Context.SECURITY_CREDENTIALS, "your password");
env.put(Context.SECURITY_PROTOCOL, "ssl");
try {
DirContext ctx = new InitialDirContext(env);
then do the thing you normally do.
} catch (Exception ex) {
.....
}
b ) Example code using SDK
import netscape.ldap.*;
import java.util.*;
import netscape.ldap.factory.*;
LDAPConnection conn = null;
JSSESocketFactory jssf=new netscape.ldap.factory.JSSESocketFactory(null);
conn = new LDAPConnection(jssf);
try{
conn.connect( "dev.directory.cornell.edu", 636,"your bind ID","yourpassword");
}
catch (LDAPException e)
{
out.println("<p>Failed to connect to directory</p>");
}
5)
Mac
OSX ldapsearch (Contributed by se10)
a) Copy the ca cert to /System/Library/OpenSSL/certs/equifax-ca.pem
b) Add the following line to /etc/openldap/ldap.conf
TLS_CACERT /System/Library/OpenSSL/certs/equifax-ca.pem
c) Execute the ldapsearch:
With the following parameters for doing ssl on port 389:
ldapsearch -ZZ -h dev.directory.cornell.edu -x -b "uid=se10,ou=people,o=cornell university,c=us"
With the following parameters for doing ssl on port 636:
ldapsearch -H ldaps://dev.directory.cornell.edu -x -b "uid=se10,ou=people,o=cornell university,c=us"
