I'm trying to implement a feature that uses LDAP over SSL (SSL, not TLS), it needs to connect to a SSL-enabled LDAP server (i.e OpenLDAP), bind and then do any additional queries. It also needs to support client-authentication, and this is where things get tricky: The client is a web application written in Ruby, and we are using RubyLDAP (so far we have used it for non-SSL ldap stuff with great success).
My question is: Is there a way to load a client certificate and send its data over the wire to the LDAP server when doing a LDAP::SSLConn? I haven't found an开发者_StackOverflow中文版ything obvious on the API docs (http://ruby-ldap.sourceforge.net/rdoc/) nor while googling around.
I know I that I can prevent the server from asking for a certificate by putting the following on slapd.conf (OpenLDAP):
TLSVerifyClient never
However, this is not an option here.
Thanks,
Marcelo.
I don't know if this is still relevant. Do you need a client cert? You can also use bind users and acl's in openldap. This would be much easier and manageable from within your openldap server than client cert's.
To enable the client side ssl you need to point ruby-ldap to the correct CA cert, the one that singed your servers cert. on your client, in the /etc/openldap/ldap.conf
TLS_CACERT /etc/ssl/yourldapsca.pem
精彩评论