LDAP Browser SSL Support
Moderator: Support
10 posts
• Page 1 of 1
LDAP Browser SSL Support
by jchambers » Tue May 02, 2006 10:43 pm
It would be very nice to have support for SSL/TLS in the LDAP Browser product; by some config file that references the path to the Cert. Using the Netscape 4 method in the forums is about as lame as it gets.... Is there any other work-around, or anything on the roadmap for this?
- jchambers
- Posts: 1
- Joined: Tue May 02, 2006 10:38 pm
by Support » Wed May 10, 2006 2:56 pm
We have no plans to continue development of the 2.X products line.
LDAP Administrator 3.X works over MS LDAP API which has a built-in integration with the Windows SSL/TLS infrastructure. This effectively means that there is no more headache with SSL certificates management.
LDAP Administrator 3.X works over MS LDAP API which has a built-in integration with the Windows SSL/TLS infrastructure. This effectively means that there is no more headache with SSL certificates management.
- Support
- Posts: 694
- Joined: Sun Aug 12, 2001 12:00 am
by pbatard » Wed May 31, 2006 4:24 pm
Hi jchambers,
I totally agree with you that requiring users to install an old piece of software just to handle a CA certificate is pretty lame. There is however a way to get SSL working in LDAP Browser 2.x without having to install Netscape. Here's how
o Importing the CA certificate on the Softerra Browser LDAP client software
After you have extracted the public key certificate of the Certificate Authority (CA) of the Active Directory server, you must import it into a cert7.db file that Softerra LDAP Browser can handle. There, Softerra's documentation says that you're supposed to install Netscape 4.x but you don't. You can simply use Mozilla's NSS utilities, and the certutil command line utility to do just the same.
However, the latest version of NSS does not generate a .db that is compatible with the older version that Softerra uses (cert7.db vs. cert8.db) and there does not appear to be flag in certutil to generate a .db with the old compatibility mode. Therefore you have to use an older version of NSS. The most recent version that does that is (apparently) NSS 3.3.2, which you can download, precompiled for win32 platforms, from ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_3_2_RTM/WINNT4.0_OPT.OBJ
Once you've extracted the zip and placed your certificate (eg: myserver_ca.cer) in the bin directory, you should run the following commands:
and
o Configuring the Softerra LDAP profile for LDAPS
1. Overwrite the key3.db and cert7.db files from the LDAP Browser root directory with the ones just created
2. Edit your existing LDAP profile and change the port to the secure one (eg. 636)
3. on the "LDAP Settings" tab, check the box "Try to use secure connection (only LDAP v.3)"
That did the trick for me when using an Active Directory controller with LDAPS (which was setup following the documentation from IBM here).
Hope this will be useful to others.
I totally agree with you that requiring users to install an old piece of software just to handle a CA certificate is pretty lame. There is however a way to get SSL working in LDAP Browser 2.x without having to install Netscape. Here's how
o Importing the CA certificate on the Softerra Browser LDAP client software
After you have extracted the public key certificate of the Certificate Authority (CA) of the Active Directory server, you must import it into a cert7.db file that Softerra LDAP Browser can handle. There, Softerra's documentation says that you're supposed to install Netscape 4.x but you don't. You can simply use Mozilla's NSS utilities, and the certutil command line utility to do just the same.
However, the latest version of NSS does not generate a .db that is compatible with the older version that Softerra uses (cert7.db vs. cert8.db) and there does not appear to be flag in certutil to generate a .db with the old compatibility mode. Therefore you have to use an older version of NSS. The most recent version that does that is (apparently) NSS 3.3.2, which you can download, precompiled for win32 platforms, from ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_3_2_RTM/WINNT4.0_OPT.OBJ
Once you've extracted the zip and placed your certificate (eg: myserver_ca.cer) in the bin directory, you should run the following commands:
- Code: Select all
C:\nss-3.3.2\bin>certutil -N -d .
and
- Code: Select all
C:\nss-3.3.2\bin>certutil -A -n "root_ca" -t "C,," -a -i .\myserver_ca.cer -d .
o Configuring the Softerra LDAP profile for LDAPS
1. Overwrite the key3.db and cert7.db files from the LDAP Browser root directory with the ones just created
2. Edit your existing LDAP profile and change the port to the secure one (eg. 636)
3. on the "LDAP Settings" tab, check the box "Try to use secure connection (only LDAP v.3)"
That did the trick for me when using an Active Directory controller with LDAPS (which was setup following the documentation from IBM here).
Hope this will be useful to others.
- pbatard
- Posts: 1
- Joined: Wed May 31, 2006 4:11 pm
LDAP Browser SSL Support
by drwho » Fri Jul 14, 2006 12:03 am
Good news. I uninstalled Netscape 8 and reinstalled Netscape Communicator 4.8. I executed the following steps (from your LDAP Browser Help ) and was able to connect:
Run the Netscape browser.
Open URL: https://yourserver:sslport/, where:
yourserver - Your LDAP server address, provided it is an IP or host name. For example: 192.168.234.33 or ldap.mycompany.com.
sslport - A TCP\IP port number used by your server to accept SSL connections. Usually this port number is 636.
You'll see the Netscape Certificate Name Check window. Follow the instructions provided therein and accept the server certificate for this and future sessions.
I'm using LDAP Browser v.2.6 (build 650),
System Info: Microsoft Windows 2000 version 5.2 Service Pack 1
Our CA certificate is self-signed (ie. Not belonging to Verisign or other vendors)
I want to thank Softerra's support Kirill, who responded quickly to my distress and sent me to this link. I emailed documentation of my efforts to Kiril.
Run the Netscape browser.
Open URL: https://yourserver:sslport/, where:
yourserver - Your LDAP server address, provided it is an IP or host name. For example: 192.168.234.33 or ldap.mycompany.com.
sslport - A TCP\IP port number used by your server to accept SSL connections. Usually this port number is 636.
You'll see the Netscape Certificate Name Check window. Follow the instructions provided therein and accept the server certificate for this and future sessions.
I'm using LDAP Browser v.2.6 (build 650),
System Info: Microsoft Windows 2000 version 5.2 Service Pack 1
Our CA certificate is self-signed (ie. Not belonging to Verisign or other vendors)
I want to thank Softerra's support Kirill, who responded quickly to my distress and sent me to this link. I emailed documentation of my efforts to Kiril.
DrWho
- drwho
- Posts: 1
- Joined: Thu Jul 13, 2006 11:54 pm
by Support » Wed Jan 16, 2008 9:26 am
Please note that NSS depends on the NSPR package.
NSPR can be downloaded from
http://ftp.mozilla.org/pub/mozilla.org/ ... 0_OPT.OBJ/
Unpack both packages, copy nspr-4.2/lib/*.dll and nss-3.3.2/lib/*.dll to nss-3.3.2/bin
NSPR can be downloaded from
http://ftp.mozilla.org/pub/mozilla.org/ ... 0_OPT.OBJ/
Unpack both packages, copy nspr-4.2/lib/*.dll and nss-3.3.2/lib/*.dll to nss-3.3.2/bin
- Support
- Posts: 694
- Joined: Sun Aug 12, 2001 12:00 am
Re: LDAP Browser SSL Support
by netw3rker » Fri Jul 25, 2008 11:09 pm
This is great, but i cant get it to work for me. this leads me to a couple of questions:
1) does the fact that 'certutil' force you to password protect the db files matter?
2) is there a way to add new keys to the existing db's instead of using only the new db's?
I'm pretty sure my problem is either related to the db password, or its a problem with the key i'm importing, but It'd be good to at least let people know wether or not the password does actually matter.
Thanks in advance!
-Chris
1) does the fact that 'certutil' force you to password protect the db files matter?
2) is there a way to add new keys to the existing db's instead of using only the new db's?
I'm pretty sure my problem is either related to the db password, or its a problem with the key i'm importing, but It'd be good to at least let people know wether or not the password does actually matter.
Thanks in advance!
-Chris
- netw3rker
- Posts: 1
- Joined: Fri Jul 25, 2008 10:30 pm
Re: LDAP Browser SSL Support
by Support » Thu Dec 17, 2009 2:43 pm
netw3rker wrote:This is great, but i cant get it to work for me. this leads me to a couple of questions:
Please turn to Mozilla NSS site for details:
http://www.mozilla.org/projects/security/pki/nss/
- Support
- Posts: 694
- Joined: Sun Aug 12, 2001 12:00 am
- joetraff
- Posts: 2
- Joined: Wed Jul 14, 2010 11:00 am
10 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest