Secure Sockets Layer (SSL) is the open standard security protocol
for the secure transfer of sensitive information over the
Internet.
You can establish SSL on an LDAP session if the server supports
such sessions. SSL uses X.509 public key technology to provide
the following security functions:
o Integrity and confidentiality of the LDAP dialog
This is the most common use of SSL. The bytes sent over the
wire are encrypted.
o Authentication of the client
Some servers use SSL to authenticate the client and make
access control decisions based on the client identity. In
this case, the client must have access to its private key and
its certificate. The client certificate subject is a DN.
o Authentication of the server
It might be important for the client to verify the identity
of the server to which it is talking. In this case, the client
must have access to the appropriate certification authority
(CA) public keys.
There are several versions of SSL: SSLv2 (2.0), SSLv3 (3.0), and
TLSv1 (3.1). TLS is the latest Internet standard. It does not
require the use of RSA algorithms. Usually the client specifies
the highest version it supports, and the server negotiates
downward, if necessary. The client library supports all the
versions listed here.
You can establish SSL over LDAP two different ways:
o LDAPS
This older, de facto standard uses a separate TCP/IP port
(usually 636) specifically for SSL over LDAP. In this case,
the second parameter to the ldap_tls_start() function must be
set to zero.
o StartTLS
This proposed Internet standard uses a regular LDAP port
(usually 389) and requires the client to request the use
of SSL. In this case, the second parameter to the ldap_tls_
start() function must be set to 1.
1 – SSL Certificate Options
The following session-handle options are specific to SSL and can
be set by the ldap_set_option() function:
o LDAP_OPT_TLS_CERT_REQUIRED (0x7001) void *
Set to LDAP_OPT_ON if the client library requires a server
certificate to be present the next time the ldap_tls_start()
function is called. The default value is LDAP_OPT_OFF; a
server certificate is not required.
o LDAP_OPT_TLS_VERIFY_REQUIRED (0x7002) void *
Set to LDAP_OPT_ON if the client library requires that a
server certificate path be validated the next time the ldap_
tls_start() function is called. The default value is LDAP_OPT_
OFF; the server certificate, if any, is not verified.
o LDAP_OPT_TLS_CERT_FILE (0x7003) char *
Set to the name of a file containing the client's certificate
for use by the ldap_tls_start() function.
o LDAP_OPT_TLS_PKEY_FILE (0x7004) char *
Set to the name of a file containing the client's private key
for use by the ldap_tls_start() function.
o LDAP_OPT_TLS_CA_FILE (0x7005) char *
Set to the name of a file containing CA public keys used for
validation of the server by the ldap_tls_start() function.
o LDAP_OPT_TLS_CA_PATH (0x7006) char *
Set to the name of a directory on disk containing CA public
key files used for validation of the server by the ldap_tls_
start() function.
o LDAP_OPT_TLS_VERSION (0x7007) int *
Set to the desired SSL protocol version. This option takes one
of the following values:
1: TLSv1 only
20: SSLv2 only
23: SSLv2 or SSLv3
30: SSLv3 only (default)
31: TLSv1 only
If LDAP_OPT_TLS_VERIFY_REQUIRED is set to ON, either the LDAP_
OPT_TLS_CA_FILE or the LDAP_OPT_TLS_CA_PATH option must be set.
If client authentication is required, both LDAP_OPT_TLS_CERT_FILE
and LDAP_OPT_TLS_PKEY_FILE must be set.
2 – Obtaining a Key Pair
In order for TLS to authenticate a client, the client must have
a private key and a certificate. Obtain these from either a
Certification Authority or a self-sign program. A self-sign
program is included in the Open Source Security for OpenVMS
product.