Interactive LDAP SSL Binding using C#



By: palaniappan1

September 1, 2009 2:56 pm

Reads: 400

License:
Free

Download InteractiveSSLBind.zip

LDAP application developers know that, for doing an LDAP Authentication over SSL, the application needs to authenticate through the server’s SSL certificate in some format (Novell uses the certificates in the CER/DER format and OpenLDAP requires the certificate in PEM format).

This cool solution / tool will allow users to do an LDAP authentication with out having a LDAP server certificate. This article will enable users to get the certificate on the fly, validate, accept and do the LDAP authentication.

Requirement:

Mono / Microsoft .Net environment with the libraries need to be present.

Normal SSL connection:

Before reading this, the following article will show how to use Novell C# LDAP SDK to do a normal LDAP SSL authentication using the LDAP server’s SSL certificate:
LDAP SSL Authentication with LDAP Libraries for C#

Overview of the Interactive SSL Bind:

This article gives the application the provision to view the details of the LDAP server, to which the client is trying to connect over SSL, through the LDAP server’s certificate. Once the certificate details are available, the application can decide on whether to proceed with the SSL handshake or not.

If the client decides to proceed with the SSL handshake, the server’s certificate will be imported automatically to the client’s (Mono) trusted store.

Internals of the Interactive SSL implementation:

  1. Integrate the Mono.Security library with Novell LDAP Libraries first. This is always needed when you write your secure applications, as the security algorithms are provided by the Mono.Security library.
  2. For this, set the SecureSocketLayer Property to true, before binding, but after creating LdapConnection instance, as follows:
    	using Novell.Directory.Ldap;
    	...
    	...
    
    		LdapConnection conn= new LdapConnection();
    		conn.SecureSocketLayer=true;
    		conn.Connect(ldapHost,ldapPort);
    		conn.Bind(loginDN,password);
    	...
    	...
    	
    	
  3. Now the application code needs to define and register for a certificate verification callback routine. This callback is called, when an unknown certificate has been received while trying to connect to the LDAP server.
    conn.UserDefinedServerCertValidationDelegate += new
                                 CertificateValidationCallback(SSLHandler);
    							 
    							 

    where SSLHandler is the callback method.

  4. The callback routine retrieves information from the unknown certificate via helper functions. And it processes the certificate to get the details of the server, view them, lets the user to decide on whether or not to connect and if the user decides to connect, it goes and binds to the LDAP server.

Interactive SSL Bind Tool:

Requirements:

The tool runs on Linux or Windows with Mono/.Net environment present.

Description:

The tool InteractiveSSLBind.exe is a simple tool that will allow you to do a SSL authentication against a LDAP Server, by getting the server’s certificate details on the fly and accepting that based on the user’s interest.

Usage:

The mono binary’s path has to be there in your environmental variable PATH. Just typing
‘mono ./InteractiveSSLBind.exe’ will give you the usage of the tool.

When you give the proper parameters, the tool will print some of the basic details of the certificate in the console.

Once the user accepts the certificate, the certificate will get added to the (Mono) trusted store. And now, the tool will be able to do a SSL authentication against the LDAP Server continuously till the user wants.

For more details on the APIs and other functionality on the LDAP Libraries for C# SDK, readers can visit:
http://developer.novell.com/wiki/index.php/LDAP_Libraries_for_C_sharp

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: Cool Tools

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment