You are viewing a plain text version of this content. The canonical link for it is here.

Posted to api@directory.apache.org by Nate Seeley <se...@adaptivecomputing.com> on 2012/08/21 01:39:57 UTC

How do I use the LDAP API with SSL/TLS

I would like to use the LDAP API to allow my java application to query LDAP
over a secure connection.  I've read the docs at
http://directory.apache.org/api/connection-and-disconnection.html and still
have a few questions.

The docs say all we have to do to make the connection secure is to pass
true as a third parameter to the LdapNetworkConnection constructor.

    LdapConnection connection = new LdapNetworkConnection( "localhost",
636, true );

I was wondering the following :

1.) How does LdapNetworkConnection know what certificates to trust? I
assume we need to import certificates into a java keystore first, right?
How do I tell LdapNetworkConnection what keystore to use?
2.) How do I verify the hostname of the server I am connecting to matches
what is on the certificate?
3.) Does the LDAP API support using StartTLS so that I can connect to my
LDAP server on the unsecure port 389 and then upgrade to a TLS/SSL
connection?

I would appreciate any help you can offer. Thank you for your time,

Nate

PS. I'm using the latest version available as of today, which is 1.0.0-M12

Re: How do I use the LDAP API with SSL/TLS

Posted by Kiran Ayyagari <ka...@apache.org>.

On Tue, Aug 21, 2012 at 5:09 AM, Nate Seeley
<se...@adaptivecomputing.com> wrote:
> I would like to use the LDAP API to allow my java application to query LDAP
> over a secure connection.  I've read the docs at
> http://directory.apache.org/api/connection-and-disconnection.html and still
> have a few questions.
>
> The docs say all we have to do to make the connection secure is to pass
> true as a third parameter to the LdapNetworkConnection constructor.
>
>     LdapConnection connection = new LdapNetworkConnection( "localhost",
> 636, true );
>
> I was wondering the following :
>
> 1.) How does LdapNetworkConnection know what certificates to trust? I
> assume we need to import certificates into a java keystore first, right?
> How do I tell LdapNetworkConnection what keystore to use?
> 2.) How do I verify the hostname of the server I am connecting to matches
> what is on the certificate?
for 1 & 2 you need to use a custom TrustManager (set it using
LdapConnectionConfig.setTrustManagers())
by default LdapNetworkConnection uses the default TrustManager
> 3.) Does the LDAP API support using StartTLS so that I can connect to my
> LDAP server on the unsecure port 389 and then upgrade to a TLS/SSL
> connection?
>
yes, call the startTls() after creating the connection
> I would appreciate any help you can offer. Thank you for your time,
>
> Nate
>
> PS. I'm using the latest version available as of today, which is 1.0.0-M12



-- 
Kiran Ayyagari
http://keydap.com

Re: How do I use the LDAP API with SSL/TLS

Posted by Daniel Fisher <df...@vt.edu>.

On Mon, Aug 20, 2012 at 7:39 PM, Nate Seeley
<se...@adaptivecomputing.com> wrote:
> 2.) How do I verify the hostname of the server I am connecting to matches
> what is on the certificate?

See this issue: https://issues.apache.org/jira/browse/DIRAPI-72
If you're looking for a trust manager that does hostname verification.

--Daniel Fisher