This article explains how to do LDAP SSL authentication using the Novell LDAP Libraries for C# (More details on this C# LDAP SDK can be found at http://developer.novell.com/wiki/index.php/LDAP_Libraries_for_C_sharp )
Prerequisites:
- Mono / Microsoft .Net environment with the libraries need to be present.
- Presence of LDAP Server Certificate:
The LDAP Libraries for C# has its own SSL authentication implementation that can be utilized. To do an LDAP SSL authentication, LDAP server needs to have a certificate to use with SSL. The certificate can be exported from the eDirectory server using iManager.
- Net / Mono Environment needs to be set up to store the certificates in Mono Trust Store. Before setting up the environment make sure that your machine has the following:
The Mono Security Library - Mono.Security.dll
Mono KeyStore for storing root certificates (use the tool certmgr.exe)
(Certmgr utility is used to create a Mono Trust Store that contains the server certificate. )
- On Linux, if you have Mono installed, Mono.Security.dll and certmgr.exe will be part of it. The environement variable MONO_PATH needs to be set.
- On Windows, Mono.Security.dll and certmgr.exe (that can be obtained from http://www.mono-project.com) need to be installed. And also you need to set the location in your .NET client application path.
- While compiling the security related applications Mono.Security.dll has to be referred along with Novell.Directory.Ldap.dll.
For further details on setting up the Mono / .Net environment, please refer to http://www.novell.com/communities/node/8772/setting-novell-ldap-libraries-c
Mono Trust Store:
- From ConsoleOne or iManager, export the Trusted Root Certificate (a .DER file) of the eDirectory server you wish to connect over the secure channel and save it locally in your customized location.
For further details on how to export the certificate through iManager, please refer
http://www.novell.com/communities/node/8757/exporting-ssl-certificate-using-imanager
Assume you stored this as /home/exports/TrustedRootCert.der
- Rename the file from .DER to .cer (Rename /home/exports/TrustedRootCert.der to /home/exports/TrustedRootCert.cer )
This is because Mono currently does not recognize the .der extension.
- The certmgr.exe utility has to be used to create Mono trust store file with the trusted root certificate.
If /home/exports/TrustedRootCert.cer is the certificate filename, the command would be as follows:
certmgr -add -c Trust /home/exports/TrustedRootCert.cer
where 'Trust' is the store name.
To verify
- You can find the above certificate got added to the Mono Trust Store located at
~/.mono/certs/Trust directory
- Or you can use the certmgr utility with the 'list' option.
NOTE: The format and the location of the Mono trust store depends on the Mono releases. You should use certmgr tool to interact safely with the certificate stores. To get more information about certmgr, refer to the certmgr manpage.
Writing the Secure Applications:
When you start writing your secure applications using LDAP Libraries for C#, Mono.Security library needs to be integrated with Novell LDAP Libraries first.
For this, set the SecureSocketLayer Property to true, before binding, but after creating LdapConnection instance, as follows:
using Novell.Directory.Ldap;
...
...
LdapConnection conn= new LdapConnection();
conn.SecureSocketLayer=true;
conn.Connect(ldapHost,ldapPort);
conn.Bind(loginDN,password);
...
...