Novell is now a part of Micro Focus

Third-Party LDAP Applications Won't Work

Articles and Tips: qna

01 Mar 2003


Q.

I have come across a real strange problem. I am unable to install any third-party LDAP compliant application on my eDirectory Corporate Edition server. I get a whole slew of miscellaneous errors. In addition, the eDirectory Schema is not extended. However, the same applications install just fine on a Netscape Directory.

LDAP La La in Lenexa

A.

Dear LDAP La La: The problem lies in the fact that the applications have been compiled using the Netscape/iPlanet Directory SDK. The default setting for the SDK is to do a LDAPv2 bind. Novell's server does not allow LDAP v2 clients to do schema operations the same way Netscape does. This is according to RFC2252 and RFC2256.

Please be aware of the security risks involved using version 2 binds, which are clear text passwords! The fix is actually for a third-party supplier to add 2 lines in their code as documented below (this should not break Netscape compatibility).You will need to specify the LDAP version of your client as follows:

"If you plan to call API functions that make use of LDAP version 3 features, you should set the protocol version of your client to LDAP v3. (By default, clients built with the Netscape Directory SDK for C identify themselves to LDAP servers as LDAP v2 clients.) To specify the LDAP version supported by your client, call the ldap_set_option() function and set the LDAP_OPT_PROTOCOL_VERSION option to the value 3. For example:

version = LDAP_VERSION3;
ldap_set_option( ld,
		LDAP_OPT_PROTOCOL_VERSION, &version
		);

"After setting this option, your client can authenticate or bind to the server. As part of the process of binding to the server, your client sends the supported LDAP version number to the server. This allows the server to determine whether or not to enable the use of LDAP v3 features.

"Note that the LDAP v3 protocol allows you to perform LDAP operations without first binding to the server. If you perform LDAP operations without binding, the server may assume that your client is an LDAP v3 client. (For example, the Netscape Directory Server 3.0 assumes that if your client supports LDAP v3 if it performs an LDAP operation without binding first.)" (c) Netscape 1998.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates