#include <ldap.h>
#include <ldapssl.h>
LDAP *ldap_ssl_init(
char *host,
int port,
char *name)
The ldap_ssl_init() routine is used to initialize a secure SSL session with a server. The server is not actually contacted until an operation is performed that requires it, allowing various options to be set after initialization. Once the secure connection is established for the ld, all subsequent LDAP messages that flow over the secure connection are encrypted, including the ldap_simple_bind() parameters, until ldap_unbind() is called.
Although still supported, the use of the ldap_ssl_start() API is now deprecated. The ldap_ssl_client_init() and ldap_ssl_init() or ldap_app_ssl_client_init_np() and ldap_app_ssl_init_np() APIs should be used instead.
Read, *R, authority is needed to the selected Certificate Store and Execute, *X, to the associated directories.
(Input) Several methods are supported for specifying one or more target LDAP servers, including the following:
| Explicit Host List | Specifies the name of the host on which the LDAP
server is running. The host parameter may contain a blank-separated list of
hosts to try to connect to, and each host may optionally be of the form
host:port. If present, the :port overrides the port parameter. The following
are typical examples:
ld=ldap_ssl_init ("server1", ldaps_port, cert_label);
ld=ldap_ssl_init ("server2:1200", ldaps_port, cert_label);
ld=ldap_ssl_init ("server1:800 server2:2000 server3", ldaps_port, cert_label);
|
| Localhost | If the host parameter is null, the LDAP server will be assumed to be running on the local host. |
| Default Hosts | If the host parameter is set to "ldaps://" the LDAP library
will attempt to locate one or more default LDAP servers, with SSL ports, using
the SecureWay ldap_server_locate()
function. The port specified on the call is ignored, since ldap_server_locate()
returns the port. For example, the following two are equivalent:
ld=ldap_ssl_init ("ldaps://", ldaps_port, cert_label);
ld=ldap_ssl_init (LDAPS_URL_PREFIX, LDAPS_PORT, cert_label);
|
| If more than one default server is located, the list is processed in sequence, until an active server is found. | |
The LDAP URL can include a Distinguished Name, used as a
filter for selecting candidate LDAP servers based on the server's suffix (or
suffixes). If the most significant portion of the DN is an exact match with a
server's suffix (after normalizing for case), the server is added to the list
of candidate servers. For example, the following will only return default LDAP
servers that have a suffix that supports the specified DN:
ld=ldap_ssl_init ("ldaps:///cn=fred, dc=austin, dc=ibm, dc=com", LDAPS_PORT, cert_label);
In this case, a server that has a suffix of "dc=austin, dc=ibm, dc=com" would
match. If more than one default server is located, the list is processed in
sequence, until an active server is found. |
|
If the LDAP URL contains a host name and optional port, the
host is used to create the connection. No attempt is made to locate the default
server(s), and the DN, if present, is ignored. For example, the following two
are equivalent:
ld=ldap_ssl_init ("ldaps://myserver", LDAPS_PORT, cert_label);
ld=ldap_ssl_init ("myserver", LDAPS_PORT, cert_label);
|
|
| Local Socket | If the host parameter is prefixed with "/", the host parameter is assumed to be the name of a UNIX socket (that is, socket family is AF_UNIX) and port is ignored. This will fail for ldap_ssl_init() because UNIX sockets do not support SSL, nor is it necessary since data will not be flowing over the network. |
| Host with Privileged Port | If a specified host is prefixed with "privport://", then the LDAP library will use the rresvport() function to attempt to obtain one of the reserved ports (512 through 1023), instead of an "ephemeral" port. The search for a reserved port starts at 1023 and stops at 512. If a reserved port cannot be obtained, the function call will fail. For example: |
ld=ldap_ssl_init ("privport://server1, ldaps_port, cert_label");
ld=ldap_ssl_init ("privport://server2:1200", ldaps_port, cert_label);
ld=ldap_ssl_init ("privport://server1:800 server2:2000 privport://server3",ldaps_port,cert_label);
If the LDAP server is configured to perform Server Authentication, a client certificate is not required (and name can be set to null). If the LDAP server is configured to perform Client and Server Authentication, a client certificate is required. name can be set to null if a default certificate/private key pair has been designated as the default (using Using Ikmgui). Similarly, name can be set to null if there is a single certificate/private key pair in the designated key database.
See Code disclaimer information for information pertaining to code examples.
The following scenario depicts the recommended calling sequence where the entire set of LDAP transactions are "protected" by using a secure SSL connection, including the dn and password that flow on the ldap_simple_bind():
rc = ldap_ssl_client_init (keyfile, keyfile_pw, timeout, reasoncode); ld = ldap_ssl_init(ldaphost, ldapport, label ); rc = ldap_set_option( ld, LDAP_OPT_SSL_CIPHER, &ciphers); rc = ldap_simple_bind_s(ld, binddn, passwd); ...additional LDAP API calls rc = ldap_unbind( ld );
The sequence of calls for the deprecated APIs is ldap_open/init(), ldap_ssl_start(), followed by ldap_bind().
See ldap_get or set_option() for more information on setting the ciphers to be used.
ldap_ssl_init() will return NULL if not successful.
The following message may be sent from this function.
| Message ID | Error Message Text |
|---|---|
| CPF3CF2 E | Error(s) occurred during running of ldap_ssl_init API. |
ldap_ssl_environment_init() --Initialize SSL for a secure connection between client and server.
ldap_start_tls_app_np() --Start a TLS session with an Application ID.ldap_start_tls_s_np() --Start a TLS session with a Certificate.ldap_stop_tls_s_np() --End a TLS session.| Top | LDAP APIs | APIs by category |