Users that have access to the LDAP directory must connect securely using StartTLS or ldaps://. Below is information on how to configure specific operating systems and languages:
Linux/Unix/Mac OS X
You may need to install the AddTrust Root Certificate for the full chain to be verified. Download the AddTrustExternalRootCA certificate, and place it in a cacerts directory on your server, e.g. /etc/openldap/cacerts/. Once the necessary certificates are in place, you may need to configure LDAP to look in this directory by editing your /etc/openldap/ldap.conf file and adding:
TLS_CACERTDIR /etc/openldap/cacerts
Perl
my $ldap = Net::LDAP->new("ldap.unl.edu") or die "ERROR: $!\n";
my $starttls_msg = $ldap->start_tls();
die $starttls_msg->error() if $starttls_msg->is_error;
$ldap->bind("uid=username,ou=service,dc=unl,dc=edu", password=>"password");
Java
Hashtable ldapEnv = new Hashtable(10);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://ldap.unl.edu");
LdapContext ctx = null;
try{
ctx = new InitialLdapContext(ldapEnv, null);
//initialize TLS
StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
SSLSession sess = tls.negotiate();
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid=username,ou=service,dc=unl,dc=edu");
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, "password");
}
catch(Exception e){
System.err.println("LDAP Client init error:");
e.printStackTrace();
PHP
<?php
// Simple LDAP example
// For help debugging, details will be logged in your webserver error_log file
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Connect to ldap.unl.edu (primary) and failover to ldap-backup.unl.edu
$link = ldap_connect('ldap.unl.edu ldap-backup.unl.edu');
// TLS is only available using version 3
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3);
// Begin communicating securely
ldap_start_tls($link);
// Bind using your service dn and password
ldap_bind($link, $bind_dn, $bind_password);
Additional Code
VB.NET
C#
public static string GetNUID(string ldapUserID)
{
if (string.IsNullOrEmpty(ldapUserID))
{
return string.Empty;
}
string nuid = string.Empty;
using (LdapConnection ldap = new LdapConnection(new LdapDirectoryIdentifier(new string[] { _
"ldap.unl.edu", "ldap-backup.unl.edu" }, true, false)))
{
ldap.AuthType = AuthType.Basic;
ldap.SessionOptions.SecureSocketLayer = false;
ldap.SessionOptions.ProtocolVersion = 3;
ldap.SessionOptions.VerifyServerCertificate =
new VerifyServerCertificateCallback((conn, cert) =>
{
X509Certificate2 c2 = new X509Certificate2(cert);
return c2.Verify();
});
ldap.SessionOptions.StartTransportLayerSecurity(new DirectoryControlCollection());
ldap.Bind(new System.Net.NetworkCredential("username", "Password"));
SearchRequest req = new SearchRequest("ou=people,dc=unl,dc=edu", "uid=" + ldapUserID,
System.DirectoryServices.Protocols.SearchScope.OneLevel, new string[] { "unlUNCWID" });
req.SizeLimit = 5;
SearchResponse resp = (SearchResponse)ldap.SendRequest(req);
SearchResultEntryCollection col = resp.Entries;
// We expect only one result in both of these collections
foreach (SearchResultEntry entry in col)
{
foreach (DictionaryEntry att in entry.Attributes)
{
if (att.Key.ToString() == "unluncwid")
{
nuid = ((DirectoryAttribute)(att.Value))[0].ToString();
}
}
}
}
return nuid;
}
Additional Code
Classic ASP/VBScript
Quick Connection Info
- REQUEST ACCESS FORM
- Server: ldap.unl.edu
- Backup: ldap-backup.unl.edu
- Ports: 389, 636
- Use StartTLS or ldaps:// for secure connections
- Sample User Bind DN: uid=hhusker2,ou=people,dc=unl,dc=edu