SAP ASE
Page tree
Skip to end of metadata
Go to start of metadata

Title - ODBC and LDAPS (used as a Directory Service) on Windows

Purpose

Starting with SDK 15.7 SP100 ODBC can use LDAPS as a Directory Service.

This wiki will help understand this new feature.

Overview

LDAP is used to authenticate users or as a Directory Service to distribute server information.

When using LDAP as a Directory Service a client sends a request to LDAP with a username and password.
If this is accepted, LDAP replies with the requested server information.
This is useful when you want to conceal the host and port or want to keep the information off of all client boxes.
Also this allows admins to add/modify/delete LDAP server entries so all clients are affected at once.

Example:

Open an ODBC DSN from the ODBC Data Source Administrator
start > programs >Sybase > DataAccess (32/64)
Go to the Connection tab

 
Full url: ldap://pvero-rhel5.den2.sap.corp:3322/o=servers,dc=sybase,dc=com
My authentication is set very unsecure and open.
You can also add this to your URL to use an account to authenticate to LDAP.
ldaps:// pvero-rhel5.den2.sap.corp:3322/o=servers,dc=sybase,dc=com????bindname=cn=Manager,dc=Sybase,dc=com?secret

This example shows cn=Manager which is my root admin account.
From: Software Developer's Kit 15.7 > Open Client and Open Server Configuration Guide for UNIX > Using a Directory Service

Service name = server entry entered into LDAP

Wireshark TDS trace between my client and the LDAP server shows this being brought back to ODBC.

 
Notice it replayed with my LDAP server entry SSL.
Host - ldkim-sun
Port - 4545
Protocol - TDS

Now that we understand what LDAP does, let's look further into LDAPS.
The example above sent normal plain text LDAP server.
Wireshark, a protocol TDS capture tool, was used to trace every packet sent between the servers.
However, since we want to be secure and send encrypted packets between servers, LDAPS is the direction to go.

LDAP + SSL

LDAPS is a SSL encrypted LDAP server port.

To enable LDAP to LDAPS you need to create SSL certificates on the LDAP server and distribute the certificates to the clients that want to connect.

SSL certificates are used to establish a SSL Handshake at the beginning of a connection.
Once client and server agree upon an encryption suite and the server has verified the client has a valid certificate, then traffic between the two are encrypted.

If you already have an established LDAP server, items to add:

Note: This is an example of a test environment self signed certificates.
Self Signed certificates are not meant for a production environment.

slapd.conf

TLSCertificateFile      <location to signed crt>/<hostname>.crt
TLSCertificateKeyFile   <location to signed key>/<hostname>.key
TLSCACertificateFile    <location to self signed>/ca.crt

ldap.conf

URI     ldaps://ldap.sybase.com ldaps://ldap-master.sybase.com:636
starting LDAPS-
slapd -h "ldaps://<hostname>:636" -d 255 -f ./slapd.conf

LDAPS + ODBC

When using LDAPS as a Directory Service, isql is able to establish a connection and receive the host and port information through the libtcl.cfg and trusted.txt files.

However, ODBC, on Windows, uses Microsoft's API to setup this interaction between ODBC and LDAPS.
To allow ODBC to use a SSL certificate we must use the Windows tool Microsoft Management Console (MMC).

This tool controls the SSL certificates and allows us to manage them.

To add a certificate:
Type mmc in the search box.
 Open the certificates section:
file > add/remove snap-ins.. > select certificates > "Add >"  Computer account > Finish > Ok
Now you should see the Certificates in the left pane.

 
Here we can right click > All tasks > import... our LDAPS ssl certificates.

Once you have imported your LDAPS SSL certificate you can connect to your LDAPS through ODBC.

The only difference now is we change the URL from LDAP to LDAPS:
ldaps://pvero-rhel5.den2.sap.corp:636/o=servers,dc=sybase,dc=com

(Remember above this can be read by everyone, make sure you have permissions setup.)

Also, based on your SDK version, you may be restricted to the default SSL ports 636 and 3269.
Note: 636 and 3269 ports are the default set by Microsoft to use SSL encryption.
Sybase CR#: 738898 was created to resolve this issue. Should be fixed in SDK 15.7 SP110.

Related Content

Related Documents

Wireshark - TDS Network Protocol Analyzer 

Related sap notes/kbas

  • No labels