LDAP Libraries for C on Solaris

Reader Rating    from ratings

LDAP Libraries for C on Solaris enables you to write applications to access, manage, update, and search for information stored in eDirectory and other LDAP-aware directories.

The LDAP libraries provide access to eDirectory based on the C LDAP Application Program Interface (which is based on the draft proposed to the IETF). Portions of the source for this component are based on the Directory SDK (Version 2.0), which is available from OpenLDAP.org.

LDAP Libraries for C

The LDAP Libraries for C SDK enables you to write applications to access, manage, update, and search for information stored in eDirectory and other LDAP-aware directories. LDAP (Lightweight Directory Access Protocol) is becoming an Internet standard for accessing directory information, allowing LDAP-enabled applications to access multiple directories. LDAP v3 supports such features as secure connections (through SSL and SASL), entry management, schema management, and LDAP controls and extensions for expanding the functionality of LDAP.

Dependencies

In addition to LDAP Libraries for C, you will need the following to take full advantage of the functionality offered in the libraries:

• LDAP Server. The libraries can be used to access an LDAP server and its directory. If you are using them to access eDirectory, the LDAP server must be running on NDS 7.x or higher to access LDAP v3 functionality. Other servers in the tree can be running earlier version of NDS; only the LDAP server needs to be on NDS 7.x or higher.
  
  
• SSL. To use SSL, the LDAP server and the LDAP client must be configured for SSL. For more information, refer to the section on "Setting up SSL Security."
  
  
• LDAP Extensions for eDirectory. To use the LDAP extensions for naming contexts (partition and replica management) and getting effective rights, the LDAP server must be running on eDirectory 8.5.
  
  

Installation

All the files are extracted to a directory on the Unix system. To link to the libraries you need to set the LD_LIBRARY_PATH to the following:

/ldapcsdk/sdk/usr/lib. 

Also, when you're running applications the LD_LIBRARY_PATH has to be set to the following:

/ldapcsdk/sdk/usr/lib.

Platform Libraries

Currently the Unix libraries are supported on Solaris 2.6,2.7, and 2.8. The kit includes the following libraries:

• libldapcsdk.so
  
  
• libldapx.so
  
  
• libldapssl.so
  
  

Supported Compilers

On Solaris, the libraries can be used with the following C compilers:

• Sun Workshop 5.0
  
  
• Sun Workshop 4.2
  
  

Use the -xCC option to compile the sample programs and any program which use the LDAP functions.

Sample Code

The LDAP sample code is installed in the following directories:

• /ldapcsdk/sdk/usr/samples
  
  
• /ldapcsdk/sdk/usr/samples/extensions
  
  

Setting Up SSL Security

The LDAP Libraries for C are independent of Novell client software, and they perform their own authentication. For SSL authentication to work, the LDAP server must have a certificate to use with SSL, and the LDAP libraries must be set up with certificates. Thus, two components must be set up to use SSL:

• LDAP Server
  
  
• LDAP Libraries
  
  

LDAP Server

In eDirectory and higher, the LDAP server is installed and started automatically with NDS. By default, the LDAP server is set up to service anonymous binds. To enable secure connections over SSL, the LDAP server must be set up with a digital certificate from a Certificate Authority.

The steps for setting up SSL on the LDAP server are slightly different for each release of eDirectory. For specific information, see one of the following:

• eDirectory http://www.novell.com/documentation/lg/ndsse/docui/index.html
  
  
• NetWare 5 PKI http://www.novell.com/documentation/lg/nw5/ussecur/crndsenu/data/h0000014.html)
  
  
• LDAP server http://www.novell.com/documentation/lg/nw5/usnds/ldap_enu/data/h0000012.html)
  
  

LDAP Libraries

SSL authentication requires the following:

• ConsoleOne 1.2C or higher
  
  
• NDS Corporate Edition or eDirectory on Unix with the security framework
  
  

To set up an LDAP application for an SSL connection, complete the following steps:

1. Install the NICI software on the client.
   
   
2. From ConsoleOne, create and export a trusted root certificate (a .der file). For step-by-step instructions for this procedure, see the administration guide that comes with eDirectory.
   
   
3. Copy the certificate to the client workstation.
   
   
4. Call the ldapssl_client_init function with the certFile parameter set to the name of the certificate file.
   
   

LDAP Tools

The LDAP kit includes the following tools:

• ldapsearch
  
  
• ldapadd
  
  
• ldapdelete
  
  
• ldapmodify
  
  
• ldapmodrdn
  
  

Note:

The Novell Import Convert Export utility is available only on Netware and Win32 for this release. It will be available for Solaris in the November release of the LDAP SDK.

If the LDAP tools are used over SSL connections, they require a NICI component not included in the download. You must also create a certificate. To enable SSL connections, complete the following steps:

1. Download the NICI from the following location: http://download.novell.com/sdMain.jsp#NICI+Encryption+Modules
   
   
2. Log in as root.
   
   
3. Untar and install the daemon.
   
   

• The ccsd daemon, required for secured operations, is automatically started. After installation, all users can use this daemon for their secured operations.
  
  

4. On the server where the tools are going to be used over SSL connections, enter the following command to start the PKI server:
   
   

      npki -l

5. From ConsoleOne, right-click the Security object at the [Root] of the tree and click New > Object.
   
   
6. Select NDSPKI: Certificate Authority > OK, and then follow the online instructions.
   
   
7. Select your target server and enter a name for the NDS object name. For the creation method, select Custom and then press the Next button.
   
   
8. Select your key size, accept the other default values, and press the Next button.
   
   
9. In Select certificate basic constraints, choose the defaults and press the Next button.
   
   
10. In Specify the certificate parameters, choose Specify dates for the Validity period. For the effective date, choose a day before the system date and accept the other default values.
    
    
11. Right-click the container for the LDAP Server object and then select New -> Object.
    
    
12. Select NDSPKI: Key Material -> OK.
    
    
13. Select your target server and enter a name for the NDS object. For creation method, select Custom and then press the Next button.
    
    
14. In Specify the certificate authority, accept the defaults (which will sign this certificate) and press the Next button.
    
    
15. In Specify an RSA key size and how the key is to be used, select the key size, accept the other default values, and press Next button.
    
    
16. In Specify the certificate parameters, choose Specify dates for the Validity period. For the effective date, choose a day before the system date and accept the other default values.
    
    
17. In Specify the trusted root certificate to be associated with server certificate, accept the defaults and press the Next button.
    
    
18. Click finish to create a key material.
    
    
19. Double-click on the LDAP server object.
    
    
20. In the General Property page, select the SSL certificate(KMO). Then click on Refresh NLDAP Server Now -> Close. Your LDAP server must be running for this work.
    
    
21. To export the self-assigned CA out of eDirectory in der format, double-click the KMO object, select the certificates property page, chose Trusted root certificate, click export, select File in binary DER format, and then click OK.
    
    
22. Export the following:
    
    

      LD_LIBRARY_PATH=/ldapcsdk/sdk/usr/lib

23. Use the .der file generated from the target server for all secured operations. Include this file in all command line ldap operations that establish secure LDAP connections to eDirectory.
    
    

For LDAP applications, call the ldapssl_client_init function with the certFile parameter set to the name of the certificate file.