LDAP application developers know that, for doing an LDAP Authentication over SSL, the application needs to authenticate through the server’s SSL certificate in some format (Novell uses the certificates in the CER/DER format and OpenLDAP requires the certificate in PEM format).
This cool solution / tool will allow users to do an LDAP authentication with out having a LDAP server certificate. This article will enable users to get the certificate on the fly, validate, accept and do the LDAP authentication.
Mono / Microsoft .Net environment with the libraries need to be present.
Normal SSL connection:
Before reading this, the following article will show how to use Novell C# LDAP SDK to do a normal LDAP SSL authentication using the LDAP server’s SSL certificate:
LDAP SSL Authentication with LDAP Libraries for C#
Overview of the Interactive SSL Bind:
This article gives the application the provision to view the details of the LDAP server, to which the client is trying to connect over SSL, through the LDAP server’s certificate. Once the certificate details are available, the application can decide on whether to proceed with the SSL handshake or not.
If the client decides to proceed with the SSL handshake, the server’s certificate will be imported automatically to the client’s (Mono) trusted store.
Internals of the Interactive SSL implementation:
using Novell.Directory.Ldap; ... ... LdapConnection conn= new LdapConnection(); conn.SecureSocketLayer=true; conn.Connect(ldapHost,ldapPort); conn.Bind(loginDN,password); ... ...
conn.UserDefinedServerCertValidationDelegate += new CertificateValidationCallback(SSLHandler);
where SSLHandler is the callback method.
The tool runs on Linux or Windows with Mono/.Net environment present.
The tool InteractiveSSLBind.exe is a simple tool that will allow you to do a SSL authentication against a LDAP Server, by getting the server’s certificate details on the fly and accepting that based on the user’s interest.
The mono binary’s path has to be there in your environmental variable PATH. Just typing
‘mono ./InteractiveSSLBind.exe’ will give you the usage of the tool.
When you give the proper parameters, the tool will print some of the basic details of the certificate in the console.
Once the user accepts the certificate, the certificate will get added to the (Mono) trusted store. And now, the tool will be able to do a SSL authentication against the LDAP Server continuously till the user wants.
For more details on the APIs and other functionality on the LDAP Libraries for C# SDK, readers can visit:
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.