SSL LDAP connection using Netscape LDAP SDK in a servlet (using jdk 1.1.7b)

[Malcolm Stuart-Fischer]

I am trying to make a secure connection to an LDAP server (on NDS) using the
java LDAP sdk from netscape but can't seem to find any decent code examples
(at least one that a moderate java novice can understand). I have the whole
thing working right now with a regular non-secured connection, but now SSL
is required. here is the connection I'm using currently.

LDAPConnection ld = null;
LDAPEntry findEntry = null;
int status = -1;
try {ld = new LDAPConnection();
/* Connect to server */
String MY_HOST = "192.168.1.234";
int MY_PORT = 389;
ld.connect( MY_HOST, MY_PORT );
ld.authenticate(2,"cn=admin,ou=orgUnit,o=ourCompany","monday");

...ETC...(some search and parse code goes here)...ETC...

} catch( LDAPException e ) {
out.println( "Error: <br>" + e.toString() );
}

/* Done, so disconnect */
if ( (ld != null) && ld.isConnected() ) {
try {
ld.disconnect();
} catch ( LDAPException e ) {
out.println( "Error: <br>" + e.toString() );
}
}

Any help modifying this to use SSL or a gentle nudge in the right direction
would be greatly appreciated.

Malcolm...

[Rob Weltman]

  The SDK doesn't include any SSL code, but it has a way to hook in third-party SSL code. It does it through LDAPSSLSocketFactory. You create an instance of LDAPSSLSocketFactory (specifying the name of a class which extends Socket, but using SSL) and pass it as an argument to the LDAPConnection constructor. There is some info at http://docs.iplanet.com/docs/manuals/dirsdk/jsdk40/ssl.htm#1915315, and a lot more in the book "LDAP Programming with Java".

  We've used it with SSLava from Phaos and with the SSL support that is in Communicator. I've heard that it works well with JSSE (the reference implementation of SSL from Sun), and I'll post an example of using it soon.

Rob
 
 
 

[Anthony]

Hi,

With the package of Phaos, you can connect to your LDAP server throw SSL.

Here is the code for connecting:

LDAPSSLSocketFactory lds = new LDAPSSLSocketFactory("crysec.SSL.SSLSocket");
LDAPConnection ld=new netscape.ldap.LDAPConnection(lds);
ld.connect("localhost",636);
ld.authenticate(dn,pwd);

Then do your search.

For the moment I success with connecting on an Active Directory Server but ONLY
on localhost.

And my question is:

What certificate(s) are used for implementing the SSL connection. I am sure this
is the problem for connecting on remote LDAP server.
Where to place these certificates ?

Thx for help.

Anthony
ILLICO
anthony....@illico.fr

Malcolm Stuart-Fischer a écrit :

[Rob Weltman]

Anthony wrote:

> Hi,
>
> With the package of Phaos, you can connect to your LDAP server throw SSL.
>
> Here is the code for connecting:
>
> LDAPSSLSocketFactory lds = new LDAPSSLSocketFactory("crysec.SSL.SSLSocket");
> LDAPConnection ld=new netscape.ldap.LDAPConnection(lds);
> ld.connect("localhost",636);
> ld.authenticate(dn,pwd);
>
> Then do your search.
>
> For the moment I success with connecting on an Active Directory Server but ONLY
> on localhost.
>
> And my question is:
>
> What certificate(s) are used for implementing the SSL connection. I am sure this
> is the problem for connecting on remote LDAP server.
> Where to place these certificates ?

When using Phaos this (simple) way, no certificates are involved on the client side. The session is encrypted, but the server's certificate is not validated and the client does not present a certificate. Must be some other problem!

Exactly what error do you get? Do you have any way to tell if AD on the remote machine was ever contacted?

Rob

[Anthony]

Hi,

I am finally success to connect to a remote Active Directory with the same code but How ? I don't know ....

- I installed a certificate on the win2000 server and that's all.

Then I make a classical connection (SSLSocket) and I sniffed the transaction:

The client request certificates Client <- request

Server -> send certificate (The own certificate I installed on the server)

Server -> send certificate verisign trust network
Server -> send certificate thawte
Server -> send certificate Digital Certificate

Client <- Request ??

Server -> send certificate thawte
Server -> send certificate verisign trust network
Server -> send certificate Cybertrust

Client <- Request ??
Client <- Request ??

then Client <--- crypted ---> Server

So the session is encrypted .... but it is a simple way.

- Why the other certificates like thawte, trust verisign ........ are used ?

- Now what are the solution so as to used a certificate on the client side and what certificate(s) do I have to place on this side ? (the enrollment of the server certificate ? where to place it ?).

- Another different problem is with the Netscape Directory Server using the wizard certificate management (huh, I am a newbie), I can't view the certificate I installed in the Console/Certificate Management.
Here is the step for installing my certificate:

First using the certificate wizard, I got my CSR then send it to equifaxsecure that send me two certificates. One is the equifaxsecure trial certificate and the other one is the trial web server certificate for my Server.

I installed them like they said and Netscape is confirmed that's all certificates are installed ... right :)

But no certificates / no ciphers when I enabled the SSL in the console and the certificate management list is empty :(

- I am trying to do the same thing with Site Server ..... it seems to be the same problem but I'd like to resolve the Netscape problem first.

Ouch ..... good luck and thanks for your help.

Rob Weltman a écrit :