Users that have access to the LDAP directory must connect securely using StartTLS or ldaps://. Below is information on how to configure specific operating systems and languages:

Linux/Unix/Mac OS X

You may need to install the AddTrust Root Certificate for the full chain to be verified. Download the AddTrustExternalRootCA certificate, and place it in a cacerts directory on your server, e.g. /etc/openldap/cacerts/. Once the necessary certificates are in place, you may need to configure LDAP to look in this directory by editing your /etc/openldap/ldap.conf file and adding:

TLS_CACERTDIR    /etc/openldap/cacerts


my $ldap = Net::LDAP->new("") or die "ERROR: $!\n";
my $starttls_msg = $ldap->start_tls();
die $starttls_msg->error() if $starttls_msg->is_error;
$ldap->bind("uid=username,ou=service,dc=unl,dc=edu", password=>"password");


Hashtable ldapEnv = new Hashtable(10);
CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://");

LdapContext ctx = null;

        ctx = new InitialLdapContext(ldapEnv, null);

        //initialize TLS
        StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
        SSLSession sess = tls.negotiate();

        ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
        ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "uid=username,ou=service,dc=unl,dc=edu");
        ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, "password");

catch(Exception e){
        System.err.println("LDAP Client init error:");


// Simple LDAP example

// For help debugging, details will be logged in your webserver error_log file
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

// Connect to (primary) and failover to
$link = ldap_connect('');

// TLS is only available using version 3
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3);

// Begin communicating securely

// Bind using your service dn and password
ldap_bind($link, $bind_dn, $bind_password);

Additional Code


    Public Shared Function GetNUIDFromLDAP(ByVal UID As String) As String
      Using LDAP As New LdapConnection(New LdapDirectoryIdentifier(New String() {"", _
                   ""}, True, False))

            LDAP.SessionOptions.ProtocolVersion = 3
            LDAP.SessionOptions.VerifyServerCertificate = _
                          New VerifyServerCertificateCallback(AddressOf ServerCallback)
            Dim NUID As String = ""
            LDAP.AuthType = AuthType.Basic
            LDAP.SessionOptions.StartTransportLayerSecurity(New DirectoryControlCollection)
            LDAP.Bind(New NetworkCredential("username", "password"))

            Dim req As New SearchRequest("ou=people,dc=unl,dc=edu", "uid=" & _
                        UID, Protocols.SearchScope.OneLevel, New String() {"unlUNCWID"})
            req.SizeLimit = 500
            Dim resp As SearchResponse = LDAP.SendRequest(req)
            Dim col As SearchResultEntryCollection = resp.Entries

            For Each res As SearchResultEntry In col
                For Each att As DictionaryEntry In res.Attributes
                    If att.Key = "unluncwid" Then NUID = att.Value.item(0)

            Return NUID
        End Using
    End Function

    Public Shared Function ServerCallback(connection As LdapConnection, _
                  certificate As X509Certificate) As Boolean
        Return True
    End Function


public static string GetNUID(string ldapUserID)
    if (string.IsNullOrEmpty(ldapUserID))
        return string.Empty;

    string nuid = string.Empty;
    using (LdapConnection ldap = new LdapConnection(new LdapDirectoryIdentifier(new string[] { _
"", "" }, true, false)))
        ldap.AuthType = AuthType.Basic;
        ldap.SessionOptions.SecureSocketLayer = false;
        ldap.SessionOptions.ProtocolVersion = 3;
        ldap.SessionOptions.VerifyServerCertificate =
            new VerifyServerCertificateCallback((conn, cert) =>
                X509Certificate2 c2 = new X509Certificate2(cert);
                return c2.Verify();
        ldap.SessionOptions.StartTransportLayerSecurity(new DirectoryControlCollection());
        ldap.Bind(new System.Net.NetworkCredential("username", "Password"));
        SearchRequest req = new SearchRequest("ou=people,dc=unl,dc=edu", "uid=" + ldapUserID,
            System.DirectoryServices.Protocols.SearchScope.OneLevel, new string[] { "unlUNCWID" });
        req.SizeLimit = 5;
        SearchResponse resp = (SearchResponse)ldap.SendRequest(req);
        SearchResultEntryCollection col = resp.Entries;

        // We expect only one result in both of these collections
        foreach (SearchResultEntry entry in col)
            foreach (DictionaryEntry att in entry.Attributes)
                if (att.Key.ToString() == "unluncwid")
                    nuid = ((DirectoryAttribute)(att.Value))[0].ToString();
    return nuid;

Additional Code

Classic ASP/VBScript


Const ADS_USE_SSL = &H2
if (request.form("Submit") = "Submit") then
	'Read in the password and username from the form
	Dim strUserName, strPassword
	strUserName = trim(Replace(Request.form("uid"),"'","''"))
	strPassword = trim(Replace(Request.form("pwd"),"'","''"))

	'Establish a database connection...
	SQLStmt = "SELECT * " & _
			  "FROM 'LDAP://,dc=edu' " & _
			  "WHERE uid='" & strUserName & "'"

	Set Conn = CreateObject("ADODB.Connection")
	Conn.Provider = "ADSDSOObject"
	Conn.Properties("User ID") = "NotUsed"
	Conn.Properties("Password") = "NotUsed"
	Conn.Properties("Encrypt Password") = False
	Conn.Properties("ADSI Flag") = ADS_USE_SSL

	on error resume next
	Conn.Open "ADs Provider", _
			  "uid=" & strUserName & ",ou=people,dc=unl,dc=edu", _

	Set rs = Conn.Execute(SQLStmt)
	if rs.RecordCount = 0 then
		'probably bad password or login
		set rs=nothing
		set Conn=nothing
		session("Status") = "error"
		Response.Redirect("login.asp?" & request.form("URL"))
	end if

	'If the recordset is not empty, the user is validated
	If Not rs.EOF Then
		'We need to set bolAuthenticated as True!
		Session("bolAuthenticated") = True
		Session("Login") = strUserName
	End If
end if
Session("Status") = "error"
'The user was not validated...
'Take them to a page which tells them they were not validated...
Response.Redirect "https://" & request.ServerVariables("SERVER_NAME") & "/login.asp"


Quick Connection Info

  • Server:
  • Backup:
  • Ports: 389, 636
  • Use StartTLS or ldaps:// for secure connections
  • Sample User Bind DN: uid=hhusker2,ou=people,dc=unl,dc=edu