smpetrie | 4 May 16:08 2007

Re: ldapssl_clientauth_init() failure: C SDK 6.0.2, SunOS, 64-bit

That did it.  Thank you!

Anton Bobrov wrote:
> yes it works but for some reason NSS freebl libraries didnt get
> included in the 64b archives and i somehow overlooked that,
> sorry about that. please download NSS libs from here :
> ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/SunOS5.9_64_OPT.OBJ/
> and try again.
>
> smpetrie <at> raytheon.com wrote:
> >    We have both 32 and 64 bit applications that successfully use LDAP
> > C SDK 5.17.   Now we're trying to upgrade to SDK 6.0.2, but can't get
> > the 64-bit apps to work (32-bit apps work fine).  We're using the pre-
> > built libs.
> >    A call to ldapssl_clientauth_init() returns -1.  A call to
> > PR_GetError() returns -8192 : "SEC_ERROR_IO: An I/O error occured
> > during authentication; or an error occured during crypto operation
> > (other than signature verification)".
> >    Downloaded from
> > ftp://ftp.mozilla.org/pub/mozilla.org/directory/c-sdk/releases/v6.0.2-contrib-bin/ldapcsdk-6.02-SunOS5.8_sparc_64_OPT.
> > Running on SunOS 5.8.
> >    I assume this works elsewhere; true?
> >    Thanks for any suggestions.
> > Steve
Rich Megginson | 9 May 16:47 2007

More info about Windows SDK

I've gone around and around with this.  It just seems very difficult to 
use VC++ Express Edition to create a redistributable package.  Doing 
this creates a dependency on msvcr80.dll that apparently cannot be 
resolved.  There is a vcredist.exe that end users can install on their 
machine, that installs msvcr80.dll and sets up the machine to use it. 
But according to some folks on the mozilla builds newsgroup, there is a 
bug in this that was resolved with VC++ sp 1.  However, there is no 
vcredist.exe sp 1 for VC++ Express Edition.  Another thought I had was 
to just copy msvcr80.dll from the machine and put that in the SDK 
package.  But according to the same folks on the mozilla builds list, 
this may violate the EULA for VC++ Express Edition.  So the options are:

1) Use VC++ paid ($$$) Edition.  Require anyone who wants to build a 
redistributable Mozilla LDAP SDK to purchase VC++.

2) Figure out some way to hook into the Mozilla build system, and use 
that to create the redistributable package.  The Mozilla build system 
uses the paid VC++, so this is not a problem.

3) Compile statically.  This would require several changes to configure 
and the Makefiles, in order to build dynamically in most cases e.g. for 
use in Thunderbird and other products, but to build statically when 
building the SDK.

4) Use MSYS.  I assume this would run on a native Windows machine (i.e. 
one without cygwin or msys already installed), or we would have to 
distribute the dll.  I think you used to have to do this with cygwin 
apps - provide cygwin1.dll with your binaries.

I think 2) is the best option.  But I just don't have the time to do 
(Continue reading)

Dennis Sinelnikov | 9 May 18:27 2007

Active Directory & Java SDK

Hello fellow-LDAPers,

I hope there are some Active Directory gurus out there that can help me 
answer 2 questions.  I'm developing a java ldap client that pulls data 
from Active Directory (Windows Small Business Server 2003) using Java 
SDK 4.17.

1. How do I increase the 1000 entry limit per search?  After 1000 I get 
   (4) SIZE_LIMIT_EXCEEDED exception.  I tried upping the max results on 
LDAPSearchConstraints without any luck.

2. How do I get a count of all entries under a particular branch? For 
example, I need to know total number of users before pulling all of them 
that reside under cn=Users.  In non-AD world, I was able to determine 
that by appending "-s base "objectclass=*" numsubordinates" to my search 
query.

Thanks!

-Dennis
Mark Smith | 10 May 02:43 2007

Re: More info about Windows SDK

Rich Megginson wrote:
> I've gone around and around with this.  It just seems very difficult to 
> use VC++ Express Edition to create a redistributable package.  Doing 
> this creates a dependency on msvcr80.dll that apparently cannot be 
> resolved.  There is a vcredist.exe that end users can install on their 
> machine, that installs msvcr80.dll and sets up the machine to use it. 
> But according to some folks on the mozilla builds newsgroup, there is a 
> bug in this that was resolved with VC++ sp 1.  However, there is no 
> vcredist.exe sp 1 for VC++ Express Edition.

Is this the package that people need?

http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647&displaylang=en

> Another thought I had was 
> to just copy msvcr80.dll from the machine and put that in the SDK 
> package.  But according to the same folks on the mozilla builds list, 
> this may violate the EULA for VC++ Express Edition.  So the options are:
> 
> 1) Use VC++ paid ($$$) Edition.  Require anyone who wants to build a 
> redistributable Mozilla LDAP SDK to purchase VC++.
> 
> 2) Figure out some way to hook into the Mozilla build system, and use 
> that to create the redistributable package.  The Mozilla build system 
> uses the paid VC++, so this is not a problem.

What is the difference between options 1 and 2?  Is the idea that for 
option 2 you would use the VC++ paid edition to create a package that 
contains the necessary DLLs?  This all sounds like silliness due to the 
way the VC runtime DLLs are licensed....
(Continue reading)

Nelson Bolyard | 10 May 03:31 2007

Re: ldap and StartTLS ?

Rich Megginson wrote:
> Nelson B wrote:
>> Rich Megginson wrote:
>>> Nelson B wrote:
>>>> Does LDAP have a "StartTLS" feature (ala IMAP, SMTP) that allows the
>>>> connection to start without TLS, then negotiate TLS and switch to it?
>>>> Where can I find out more about it, if so?
>>> This is RFC 4513 - http://www.isi.edu/in-notes/rfc4513.txt
>>
>> Thanks.  That RFC is hot off the press, I see.
>> Am I right in imagining that it's not widely implemented yet?
>>
> That RFC is the replacement for the earlier startTLS RFCs which are
> referenced in that document and have been implemented for several years
> now.  I haven't read the new RFC yet but I'm assuming it hasn't changed
> the startTLS spec, just cleaned it up and unified the various strands of
> other RFCs.
> 
> So, yes, it is widely implemented.  Netscape/Sun/iPlanet/Red Hat/Fedora
> Directory Server has supported it since 2001, and likely OpenLDAP and
> others have supported it since around that time.

The LDAP SDK documentation on www.mozilla.org
<http://www.mozilla.org/directory/csdk-docs/ssl.htm#how_ssl_works_with_ldap>
says "The Mozilla LDAP C SDK only supports SSL 3.0 and does not support the
Start Transport Layer Security (TLS) Operation. "

There are (at least) two possible interpretations of that:
a) The Mozilla LDAP C SDK ... does not support ... TLS
b) The Mozilla LDAP C SDK ... does not support ... StartTLS.
(Continue reading)

Rich Megginson | 10 May 03:35 2007

Re: More info about Windows SDK

Mark Smith wrote:
> Rich Megginson wrote:
>> I've gone around and around with this.  It just seems very difficult 
>> to use VC++ Express Edition to create a redistributable package.  
>> Doing this creates a dependency on msvcr80.dll that apparently cannot 
>> be resolved.  There is a vcredist.exe that end users can install on 
>> their machine, that installs msvcr80.dll and sets up the machine to 
>> use it. But according to some folks on the mozilla builds newsgroup, 
>> there is a bug in this that was resolved with VC++ sp 1.  However, 
>> there is no vcredist.exe sp 1 for VC++ Express Edition.
> 
> Is this the package that people need?
> 
>
http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647&displaylang=en 

Yes.  That appears to be new since the last time I checked.  I'll try that.

The other problem with this method, that I neglected to mention, is that 
it seems to require a manifest file.  I'll probably need to make some 
makefile changes to detect the vc++ version and create the manifest file.

>> Another thought I had was to just copy msvcr80.dll from the machine 
>> and put that in the SDK package.  But according to the same folks on 
>> the mozilla builds list, this may violate the EULA for VC++ Express 
>> Edition.  So the options are:
>>
>> 1) Use VC++ paid ($$$) Edition.  Require anyone who wants to build a 
>> redistributable Mozilla LDAP SDK to purchase VC++.
>>
(Continue reading)

Rich Megginson | 10 May 03:40 2007

Re: ldap and StartTLS ?

Nelson Bolyard wrote:
> Rich Megginson wrote:
>> Nelson B wrote:
>>> Rich Megginson wrote:
>>>> Nelson B wrote:
>>>>> Does LDAP have a "StartTLS" feature (ala IMAP, SMTP) that allows the
>>>>> connection to start without TLS, then negotiate TLS and switch to it?
>>>>> Where can I find out more about it, if so?
>>>> This is RFC 4513 - http://www.isi.edu/in-notes/rfc4513.txt
>>> Thanks.  That RFC is hot off the press, I see.
>>> Am I right in imagining that it's not widely implemented yet?
>>>
>> That RFC is the replacement for the earlier startTLS RFCs which are
>> referenced in that document and have been implemented for several years
>> now.  I haven't read the new RFC yet but I'm assuming it hasn't changed
>> the startTLS spec, just cleaned it up and unified the various strands of
>> other RFCs.
>>
>> So, yes, it is widely implemented.  Netscape/Sun/iPlanet/Red Hat/Fedora
>> Directory Server has supported it since 2001, and likely OpenLDAP and
>> others have supported it since around that time.
> 
> The LDAP SDK documentation on www.mozilla.org
> <http://www.mozilla.org/directory/csdk-docs/ssl.htm#how_ssl_works_with_ldap>
> says "The Mozilla LDAP C SDK only supports SSL 3.0 and does not support the
> Start Transport Layer Security (TLS) Operation. "

That is incorrect.  Mozldap 6 uses any recent version of NSS (e.g. 3.11) 
which supports TLSv1 and SSLv3 (SSLv2 is off by default).  In addition 
it has supported the StartTLS extended operation for quite some time now.
(Continue reading)

Nelson Bolyard | 10 May 04:34 2007

Re: More info about Windows SDK

Mark Smith wrote:
> Rich Megginson wrote:
>> I've gone around and around with this.  It just seems very difficult
>> to use VC++ Express Edition to create a redistributable package. 
>> Doing this creates a dependency on msvcr80.dll that apparently cannot
>> be resolved.  There is a vcredist.exe that end users can install on
>> their machine, that installs msvcr80.dll and sets up the machine to
>> use it. But according to some folks on the mozilla builds newsgroup,
>> there is a bug in this that was resolved with VC++ sp 1.  However,
>> there is no vcredist.exe sp 1 for VC++ Express Edition.
> 
> Is this the package that people need?
> 
> http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647&displaylang=en

Oh, thank you, Thank You, THANK YOU!!

/Nelson
Nelson Bolyard | 10 May 04:31 2007

Re: ldap and StartTLS ?

Rich Megginson wrote:
> Nelson Bolyard wrote:

>> The LDAP SDK documentation on www.mozilla.org
>> <http://www.mozilla.org/directory/csdk-docs/ssl.htm#how_ssl_works_with_ldap>
>>
>> says "The Mozilla LDAP C SDK only supports SSL 3.0 and does not
>> support the Start Transport Layer Security (TLS) Operation. "
> 
> That is incorrect.  Mozldap 6 uses any recent version of NSS (e.g. 3.11)
> which supports TLSv1 and SSLv3 (SSLv2 is off by default).  In addition
> it has supported the StartTLS extended operation for quite some time now.
> 
> The problem is that those docs are hopelessly out of date.  Our
> salvation will come in the form of Sun's contribution of their
> up-to-date docs to Mozilla, except that Mark Craig and Gerv are going
> around and around with the Sun lawyers over the doc licensing.  Mark
> already has everything converted to docbook xml and it's ready to go.

OK.  Thanks for that info.  I understand you to be saying that the doc
was for some older version of the SDK than the present one (or even
recent ones).  This leads to a few more questions.

Regarding the current SDK, Is there a Sun URL for an equivalent page
with more up to date info?  E.g.  docs.sun.com/<something> ?

Regarding the older version of the SDK to which the cite page applied,
a) to what version(s) of the SDK did it apply?  and
b) What is the answer to the questions below for that older version?
> 
(Continue reading)

Rich Megginson | 10 May 15:49 2007

Re: ldap and StartTLS ?

Nelson Bolyard wrote:
>> The problem is that those docs are hopelessly out of date.  Our
>> salvation will come in the form of Sun's contribution of their
>> up-to-date docs to Mozilla, except that Mark Craig and Gerv are going
>> around and around with the Sun lawyers over the doc licensing.  Mark
>> already has everything converted to docbook xml and it's ready to go.
> 
> OK.  Thanks for that info.  I understand you to be saying that the doc
> was for some older version of the SDK than the present one (or even
> recent ones).  This leads to a few more questions.
> 
> Regarding the current SDK, Is there a Sun URL for an equivalent page
> with more up to date info?  E.g.  docs.sun.com/<something> ?

I think so.  Anton would probably know.

> 
> Regarding the older version of the SDK to which the cite page applied,
> a) to what version(s) of the SDK did it apply?  and
> b) What is the answer to the questions below for that older version?
>> There are (at least) two possible interpretations of that:
>> a) The Mozilla LDAP C SDK ... does not support ... TLS
>> b) The Mozilla LDAP C SDK ... does not support ... StartTLS.
>>
>> Which of those interpretations is correct?
>> Or, if neither, what is the correct interpretation?
>> Or is that document just wrong and needs to be fixed?

It must be very old.  I believe mozldap has supported StartTLS since 2001.
(Continue reading)


Gmane