Re: [Synalist] LDAPSend and SSL problem

[Lukas G. <geb...@ml...>]

> I am attempting to use your LDAPsend unit to authenticate users on a
> W2003S Active Directory. After several weeks of tinkering, I can only
> connect to an unsecured W2003S installation using port 389. I see all the
> examples you've provided but there is still something missing in my
> understanding. 
> 
> Using the "built-in" Windows LDAP Browser, LDP.exe, I can connect just
> fine in either port 389 or using SSL on port 636.

What version of Synapse you are using? It is very important, because 
latest synasnaps have changed handling of SSL. See 
http://synapse.ararat.cz/wiki/index.php?page=SslPlugin

Shortly, you must have some SSl library (for example OpenSSL DLL's) and 
if you are using latest code, then you must add ssl plugin unit to your 
project uses.

When you need to connect to secured LDAP on port 636, then use same code 
as you are connectiong to unsecure LDAP, just change destination port by 
TLDAPSend.Targetport and enable full SSL mode by TLdapSend.FullSSL prior 
connecting to server.

> However, the client machine must be part of the domain and I cannot use
> the IP address for the Target Host * must be the Domain name. 

I not understant. You meaning "DNS domain name" or "windows domain name"?

For connecting to LDAP server you must use IP address or DNS domain name. 

Once you have connected to your LDAP server, then you must login (Bind 
call) by domain members credetials what have rights to browse domain 
information within LDAp server. Use some "Domain Admins" account. Then 
you can see or modify any informations about any domain user and all 
other domain informations.

> Should be able to authenticate against a Windows Active Directory even
> from a Linux machine, which would NOT be on the Windows Domain. (I intend
> to migrate to Linux/Kylix in the near future but still will have a Windows
> User base in the Active Directory)

For connection to AS LDAP you must not be part of windows domain, you 
must just bind by valid domain account with adequate rights.

Yous question... why you not use Samba and not integrate your Linux 
server to Windows domain? It can act as Windows server too, it AFAIK 
connect to AS LDAP and integrate windows accounts to Linux by PAM too, 
etc.

> ======
> Questions: 
> 
> Why does LDAP authentication with SSL work in LDP.exe but not LDAPsend?

Maybe you not handling SSl properly. (missing SSl librares, not using 
right SSL plugin or you are just using wrong properties.)

> Do I need to provide specific certificate information to LDAPsend? 

IMHO not.

> Are there additional units/procedures required prior to calling LDAPsend?

Just if you are using latest Synasnaps, you must add SSl plugin unit to 
your project uses.

> Could you provide an example of authenticating a user with LDAPsend and
> SSL?

Sorry, I not have this example. ;-(


--
Lukas Gebauer.

E-mail: geb...@ml...
WEB: http://www.ararat.cz/synapse - Synapse Delphi and Kylix TCP/IP 
Library