#include <ldap.h> #include <ldapssl.h> int ldap_ssl_client_init( char *keyring, char *keyring_pw, int ssl_timeout, int *pSSLReasonCode)
The ldap_ssl_client_init() routine is used to initialize the SSL protocol stack for an application process. It should be called once, prior to making any other LDAP calls. Once ldap_ssl_client_init() has been successfully called, any subsequent invocations will return a return code of LDAP_SSL_ALREADY_INITIALIZED.
A related API, ldap_app_ssl_client_init_np() is available for using Digital Certificate Manager (DCM) Application IDs when authenticating the client to the server. Either ldap_ssl_client_init() or ldap_app_ssl_client_init_np() (but not both) can be called in an application process.
Although still supported, the use of the ldap_ssl_start() API is now deprecated. The ldap_ssl_client_init() and ldap_ssl_init() or ldap_app_ssl_client_init_np() and ldap_app_ssl_init_np() APIs should be used instead.
Read, *R, authority is needed to the selected Certificate Store and Execute, *X, to the associated directories.
A fully-qualified path and filename is recommended. If a filename without a fully-qualified path is specified, the LDAP library will look in the current directory for the file. The key database file specified here must have been created using the Digital Certificate Manager (DCM). If a key database is not supplied, keyring is null, the *SYSTEM Certificate Store is used.
Note: By using the code examples, you agree to the terms of the Code license and disclaimer information.
The following scenario depicts the recommended calling sequence where the entire set of LDAP transactions are "protected" by using a secure SSL connection, including the dn and password that flow on the ldap_simple_bind():
rc = ldap_ssl_client_init(keyfile, keyfile_pw, timeout, &sslrc); ld = ldap_ssl_init(ldaphost, ldapport, label ); rc = ldap_set_option( ld, LDAP_OPT_SSL_CIPHER, &ciphers); rc = ldap_simple_bind_s(ld, binddn, passwd); ...additional LDAP API calls rc = ldap_unbind( ld );
The following scenario depicts using the SASL EXTERNAL mechanism for authenticating the client to the server using the credentials in the SSL certificate:
rc = ldap_ssl_client_init(keyfile, keyfile_pw, timeout, &sslrc); ld = ldap_ssl_init(ldaphost, ldapport, label ); rc = ldap_set_option( ld, LDAP_OPT_SSL_CIPHER, &ciphers); rc = ldap_sasl_bind_s( ld, NULL, LDAP_MECHANISM_EXTERNAL, NULL, NULL, NULL ); ...additional LDAP API calls rc = ldap_unbind( ld );
Note that the sequence of calls for the deprecated APIs is ldap_open/init(), ldap_ssl_start(), followed by ldap_bind().
The following ciphers are attempted for the SSL handshake by default, in the order shown.
(Export Version) RC4_MD5_EXPORT RC2_MD5_EXPORT (Non-export Version) RC4_SHA_US RC4_MD5_US DES_SHA_US 3DES_SHA_US RC4_MD5_EXPORT RC2_MD5_EXPORT
See ldap_get/set_option() for more information about setting the ciphers to be used.
The ldap_ssl_client_init() API includes RSA software. RSA is a trademark of RSA Data Security, Inc.
If ldap_ssl_client_init() is not successful, it returns an LDAP error code. See LDAP Client API Error Conditions for possible values for the error codes.
The following message may be sent from this function.
Message ID | Error Message Text |
---|---|
CPF3CF2 E | Error(s) occurred during running of ldap_ssl_client_init API. |
[ Back to top | LDAP APIs | APIs by category ]