LDAP over TLS

The LDAP 3.0 connector supports TCP and TLS connections to the LDAP server. By default, TCP is used, but you can configure the connector to use TLS connections by setting connector options.

In this case, the connector attempts to make a connection to the LDAP server over TLS and then validates the server certificate. Client verification is done using a user name and password. The connector does not upgrade an existing TCP connection to TLS.

To enable TLS for LDAP, set the connector option tls server validation. For more information, see tls server validation.

Note: LDAP over TLS does not use the Uniface TLS connector.

Server Verification

TLS connections require the TLS client (the LDAP connector) to validate the certificate of the TLS server (the LDAP server). There are two parts to the verification:

Certificate Validation

The client receives the certificate from the server and verifies the validity of the certificate. It checks that the certificate is not expired and validates the trust chain. To do this, it needs to have the CA certificate that was used to sign the server’s certificate. In the case of self-signed certificates, the self-signed certificate is both the server certificate and the CA certificate.

For Windows, this certificate must be placed in the current user's Trusted Root Authentication Store or the system Trust store.

For Unix, the location of the CA certificate must be specified by a connector option—one of tls ca file or tls ca directory. For more information, see tls ca file | directory

Peer Name Verification

The client verifies that the name in the certificate is the same server name used to make the connection to the server. For name verification, the CN field in the certificate must contain the fully-qualified domain name of the server, or its IP address. This name must match the server name that was used in the Uniface database path:

  • Uniface Path: $LDP = LDP:fully.qualified.server.name:ou=People,o=ldaptest.com|uid=r....
  • Certificate: CN=fully.qualified.server.name

Peer name verification can cause problems if the names do not match exactly. For example, if the server name in the certificate specifies and IP address and Uniface path species the server name.

It is possible to accept the certificate without performing peer name verification. To do so, use the connector option tls server validation=ignore_name.

The following examples show how you can configure the LDAP over TLS.

Calling LDAP from Windows

In this example, the server certificate is validated but peer name verification is skipped:

[DRIVER_SETTINGS]
LDP = U3.0
USYS$LDP_PARAMS tls server validation=ignore_name


[PATHS]
$LDP LDP:www.traders.com+389:o=accounting.com|username |s6cret$

Calling LDAP from Unix

In this example, the server certificate is validated but peer name verification is skipped. Because the call to LDAP is from a Unix machine, the location of the CA certificate is specified:

[DRIVER_SETTINGS]
LDP = U3.0
USYS$LDP_PARAMS tls server validation=ignore_name tls ca dir="/CA/certificates"


[PATHS]
$LDP LDP:www.traders.com+389:o=accounting.com|username |s6cret$