2

I am currently trying to connect to my Novell LDAP in SSL using C#. At first, I have tried exactly the same operation with authentication = None and it works perfectly.

My domain name was of this form: LDAP://xxx.yyy.zzz.com:999/o=XYZ,c=ZYX and in my query I had AuthenticationType.None set.

Now, if I try the same with: LDAPS://xxx.yyy.zzz.com:636/o=XYZ,c=ZYX and in my query I had AuthenticationType.SecureSocketsLayer set. I have an error: Unknown error (0x80005000) whereas the SSL is working on the server.

Bruno
  • 119,590
  • 31
  • 270
  • 376
TD Lemon
  • 385
  • 4
  • 18
  • Sounds like a SSL certificate problem, you should check that the SSL certificate of the server is trusted by your machine (ie added to the certificate store or has a parent that is) – Joachim Isaksson Jan 11 '12 at 11:08
  • `AuthentificationType.SecureSocketsLayer` sounds like you not only want to use SSL/TLS, but that you want to use client-certificate authentication too. Is this really what you're after? – Bruno Jan 11 '12 at 11:32
  • No, you are right, I only want to use SSL. SecureSocketsLayer isn't suited for this purpose ? Should I use AuthentificationType.Encryption instead ? – TD Lemon Jan 11 '12 at 12:31
  • As far as I understand, the `AuthenticationType` is how the clients authenticates to the LDAP server. It's independent of using SSL/TLS (although when it's used, client-certs can be used for authn). There are multiple ways to authenticate to LDAP. Depending on what you need, the simple bind (`None`), might be enough. (By the way "authentification" is French -> "authentication".) – Bruno Jan 12 '12 at 13:38
  • 1
    @TerryGardner, why remove the `ldap` tag? This is clearly a question about LDAP (the protocol which should allow a C# client to talk to a Novell server) and its authentication methods. – Bruno Jan 12 '12 at 15:23
  • IF the SSL is not used to identify the client, should we declare the certificate in the code, or the certificate being in the store is enough ? – TD Lemon Jan 13 '12 at 14:58

1 Answers1

0

If you can get access to the eDirectory servers logs and ask them to enable +LDAP tracing, then a bind attempt that fails could provide additional interesting information.

As Joachim notes in his comment, you probably need the trusted root of the CA that signed the certificate in use by the eDirectory server. By default, each eDirectory tree has its own CA that signs all the certificates, so probably need the public key of the CA added to your keystore for certain.

geoffc
  • 4,030
  • 7
  • 44
  • 51