ldap_start_tls_s_np()

Purpose

Start TLS for a connection

Parameters

Input

ld

Specifies the LDAP handle.

label

Specifies the label for the client certificate as a null-terminated character string in the local EBCDIC code page or UTF-8, as determined by the LDAP_OPT_UTF8_IO option for the LDAP handle. Specify NULL for this parameter to use the GSK_KEY_LABEL environment variable. If you specify NULL for this parameter and the GSK_KEY_LABEL environment variable is not defined, the default certificate for the SSL key database, SAF key ring, or PKCS #11 token can be used. A client certificate is needed only when the LDAP server is configured for client authentication.

Usage

The ldap_start_tls_s_np() routine initiates Transport Layer Security (TLS) for an existing connection with an LDAP server. An error is returned if TLS is already being used by the connection or if there are outstanding requests. Any existing authentication for the connection remains unchanged. If the application wants to use the client certificate for authentication, it should call the ldap_sasl_bind() or ldap_sasl_bind_s() routine after calling ldap_start_tls_s_np() and specify EXTERNAL as the SASL authentication method.

The ldap_ssl_client_init() routine must be called to initialize the SSL environment before calling the ldap_start_tls_s_np() routine.

The certificate presented by the LDAP server must contain the DNS host name as either the common name (CN) portion of the certificate subject name or as a subject alternate name. The DNS host name is the name specified when the ldap_init() or ldap_ssl_init() routine was called. An error is returned if the server certificate does not contain a matching host name.

Function return value

The function return value is LDAP_SUCCESS if no error is detected. Otherwise, it is one of the LDAP error codes listed in the ldap.h include file.