RSA BSAFE Cert-C

LDAP_DATA Reference

LDAP_DATA

This configuration data is necessary because each LDAP server's parameters can vary significantly.

Cert-C LDAP Database service-provider-specific APIs allow you to add, modify, and delete LDAP configuration records. The configuration data is used by the Cert-C LDAP Database service provider when it needs to perform an LDAP operation. When the Cert-C LDAP Database service provider is registered, the corresponding configuration record is retrieved and cached for use in subsequent LDAP connections.

If any of the configuration APIs are invoked to modify the configuration data, that change does not affect any currently registered Cert-C LDAP Database service providers. For a change to take place, the service provider must be unregistered and then re-registered. For example, if you register a Cert-C LDAP Database service provider and call the S_SelectLDAPConfigRecord() function to modify the data, and then call S_InsertLDAPConfigRecord(), the data store contains the new configuration values. However, the currently registered Cert-C LDAP Database service provider still uses the old values. For the new values to take effect, unregister and then re-register the Cert-C LDAP Database service provider.

Data Fields

descriptiveName The descriptive name for this LDAP server. It is a human-readable string that an application can display to the end user. The descriptiveName is used as the unique ID for the LDAP data record and cannot be changed. If a user wants to change the name, then they have to delete the old record and add it again with a new name.

networkAddress The network address for the LDAP host. It is the Internet address of the LDAP host in a string format.

portNo The TCP LDAP port number.

authType

The authentication method. The following authentication methods are supported by Cert-C:

Authentication Method	Description
`LDAP_AUTH_NONE`	No authentication is required. `LDAP_INIT_PARAMS`'s userName and userPassword are ignored.
`LDAP_AUTH_SIMPLE`	Simple authentication. `LDAP_INIT_PARAMS`'s userName and userPassword are used to authenticate the user when connecting to the LDAP server.

sizeLimit The limit on the number of entries to return from the search. A value of 0 (zero) means no limit.

timeLimit The limit on the number of seconds to spend on the search. A value of 0 (zero) means no limit.

baseDNAttrs A string consisting of a comma-separated list of DN attributes, such as o,c. An optional white space can follow the commas. This is used in an LDAP search to build the base DN.

searchRoot The base DN where the LDAP search should start, when a search using the given subject name or given base DN has failed, such as c=us.

searchFilterAttrs The search filter used in an LDAP search when retrieving a certificate by subject name. searchFilterAttrs is a string and follows the same syntax as baseDNAttrs.

certificateAttrs A string that follows the same syntax as baseDNAttrs, and contains the directory attribute, or attributes, that can have certificates as their values. It should include both end-entity and CA certificate attributes such as, <userCertificate; binary> and <cACertificate; binary>. Cross-certificates, issued by cross-certifying CAs, are in the <crossCertificatePair;binary> directory entry attribute.

certificateRevocationAttrs A directory attribute, or attributes, that can have CRLs as their values. It should include both end-entity and CA CRL attributes; for example, authorityRevocationList;binary and certificateRevocationList;binary. In many LDAP schemas, both of these directory entry attributes can have a CRL as their value. certificateRevocationAttrs is a string and follows the same syntax as baseDNAttrs.

searchPriority The order in which the service provider searches multiple LDAP sources. Sources with the same priority search are searched in arbitrary order. Zero is the highest priority.

disconnectBeforeConnect Determines if the LDAP source requires disconnecting before performing another operation. You should set this field to TRUE if it is to be disconnected. If more than one operation can be performed with the same LDAP connection, then you should set this to FALSE to enhance performance.

otherData This field is reserved for future use; it should remain empty.

00166 typedef struct LDAP_DATA
00167 {
00168   char         descriptiveName[MAXLEN_LD_NAME];
00169   char         networkAddress[MAXLEN_LD_NETADDR];
00170   unsigned int portNo;
00171   unsigned int authType;
00172   unsigned int sizeLimit;
00173   unsigned int timeLimit;
00174   char         baseDNAttrs[MAXLEN_LD_STR];
00175   char         searchRoot[MAXLEN_LD_STR];
00176   char         searchFilterAttrs[MAXLEN_LD_STR];
00177   char         certificateAttrs[MAXLEN_LD_STR];
00178   char         certificateRevocationAttrs[MAXLEN_LD_STR];
00179   unsigned int searchPriority;
00180   unsigned int disconnectBeforeConnect;
00181   ITEM         otherData;
00182 } LDAP_DATA, *PLDAP_DATA;