From api-return-344-apmail-directory-api-archive=directory.apache.org@directory.apache.org Tue Aug 21 05:31:36 2012 Return-Path: X-Original-To: apmail-directory-api-archive@minotaur.apache.org Delivered-To: apmail-directory-api-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A8147D92A for ; Tue, 21 Aug 2012 05:31:36 +0000 (UTC) Received: (qmail 45165 invoked by uid 500); 21 Aug 2012 05:31:36 -0000 Delivered-To: apmail-directory-api-archive@directory.apache.org Received: (qmail 45039 invoked by uid 500); 21 Aug 2012 05:31:33 -0000 Mailing-List: contact api-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: api@directory.apache.org Delivered-To: mailing list api@directory.apache.org Received: (qmail 44997 invoked by uid 99); 21 Aug 2012 05:31:31 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Aug 2012 05:31:31 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ayyagarikiran@gmail.com designates 209.85.220.178 as permitted sender) Received: from [209.85.220.178] (HELO mail-vc0-f178.google.com) (209.85.220.178) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Aug 2012 05:31:25 +0000 Received: by vcbf13 with SMTP id f13so7323323vcb.37 for ; Mon, 20 Aug 2012 22:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=XJHesxhrbdu7ai9bBF5281MJwb3SgjGqOI3ahuSN6Us=; b=sn85jdq4gXjDvzyWDE5LqCK2obrSJ9p5UOxqtXuguo3EUdBOen1OVbLS5jPVBCqzsY tvh7k92FJTfdBSLWTDHh86MvBwo9yjZM2tESIcYpaNjXly4TYK4O3nU18P+4kQClANmv dMpg+b5s1VsjMF+VH5JPZhITeFWOBa6ghKES6rojYX6rop5wVotc8O2mMcnDhs3fYQGE NQ1NE+QY5LUlODc2PJ9BfYRYYz1Z1B8UDd4c4sqRTWVX0z8sijNoidKJjhIGH0bdPAmm d7uY5wfnOB6pjhtRTZX1U1lOYw4yIDEroLYM/RMjzFkOZHyX4u/D8u+vMDaqxrOM9af1 kX1w== MIME-Version: 1.0 Received: by 10.58.221.66 with SMTP id qc2mr13483273vec.30.1345527064437; Mon, 20 Aug 2012 22:31:04 -0700 (PDT) Sender: ayyagarikiran@gmail.com Received: by 10.58.4.19 with HTTP; Mon, 20 Aug 2012 22:31:04 -0700 (PDT) In-Reply-To: References: Date: Tue, 21 Aug 2012 11:01:04 +0530 X-Google-Sender-Auth: 1mZKPniwdmeFV3lzeJwTjVDlB9w Message-ID: Subject: Re: How do I use the LDAP API with SSL/TLS From: Kiran Ayyagari To: api@directory.apache.org Content-Type: text/plain; charset=ISO-8859-1 On Tue, Aug 21, 2012 at 5:09 AM, Nate Seeley wrote: > I would like to use the LDAP API to allow my java application to query LDAP > over a secure connection. I've read the docs at > http://directory.apache.org/api/connection-and-disconnection.html and still > have a few questions. > > The docs say all we have to do to make the connection secure is to pass > true as a third parameter to the LdapNetworkConnection constructor. > > LdapConnection connection = new LdapNetworkConnection( "localhost", > 636, true ); > > I was wondering the following : > > 1.) How does LdapNetworkConnection know what certificates to trust? I > assume we need to import certificates into a java keystore first, right? > How do I tell LdapNetworkConnection what keystore to use? > 2.) How do I verify the hostname of the server I am connecting to matches > what is on the certificate? for 1 & 2 you need to use a custom TrustManager (set it using LdapConnectionConfig.setTrustManagers()) by default LdapNetworkConnection uses the default TrustManager > 3.) Does the LDAP API support using StartTLS so that I can connect to my > LDAP server on the unsecure port 389 and then upgrade to a TLS/SSL > connection? > yes, call the startTls() after creating the connection > I would appreciate any help you can offer. Thank you for your time, > > Nate > > PS. I'm using the latest version available as of today, which is 1.0.0-M12 -- Kiran Ayyagari http://keydap.com