View comments | RSS feed
Contents > Developing ColdFusion MX Applications > Managing LDAP Directories > Advanced topics > Managing LDAP security Server security PreviousNext

Server security

The cfldap tag supports secure socket layer (SSL) v2 security. This security provides certificate-based validation of the LDAP server. It also encrypts data transferred between the ColdFusion server and the LDAP server, including the user password, and ensures the integrity of data passed between the servers. To specify SSL v2 security, set the cfladap tag secure="cfssl_basic" attribute.

About LDAP Server Security

ColdFusion MX uses Java Native Directory Interface (JNDI), the LDAP provider, and an SSL package to create the client side of an SSL communication. The LDAP server provides the server side. The LDAP server that the cfldap tag connects to using SSL holds an SSL server certificate, a certificate that is securely "signed" by a trusted authority and identifies (authenticates) the sender. During the initial SSL connection, the LDAP server presents its server certificate to the client. If the client trusts this certificate, the SSL connection is established and secure LDAP communication can begin.

ColdFusion determines whether to trust the server by comparing the server's certificate with the information in the jre/lib/security/cacerts keystore of the JRE used by ColdFusion MX. The ColdFusion MX default cacerts file contains information about many certificate granting authorities. If you must update the file with additional information, you can use the keytool utility in the ColdFusion jre/bin directory to import certificates that are in X.509 format. For example, enter the following: 

keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq

The keytool utility initial keypass password is "change it". For more infomration on using the keytool utility, see the Sun JDK documentation.

Once ColdFusion establishes secure communication with the server, it must provide the server with login credentials. You specify the login credentials in the cfldap tag username and password attributes. When the server determines that the login credentials are valid, ColdFusion can access the directory.

Using LDAP security

To use security, first ensure that the LDAP server supports SSL v2 security.

Specify the cfldap tag secure attribute as follows:

secure = "cfssl_basic"

For example:

<cfldap action="modify"
   modifyType="add"
   atributes="cn=Lizzie"
   dn="uid=lborden, ou=People, o=Airius.com"
   server=#myServer#
   username=#myUserName#
   password=#myPassword#
   secure="cfssl_basic"
   port=636>

The port attribute specifies the server port used for secure LDAP communications, which is 636 by default. If you do not specify a port, ColdFusion attempts to connect to the default, nonsecure, LDAP port 389.
Contents > Developing ColdFusion MX Applications > Managing LDAP Directories > Advanced topics > Managing LDAP security Server security PreviousNext

ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6.1

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Comments


shillbot said on Sep 15, 2003 at 9:23 AM :
Apparently CFMX's LDAP over SSL does not work with OpenLDAP 2.0.x - Just with 2.1 and up.
elopez_uia said on Jan 7, 2005 at 5:46 PM :
If the keytool utility initial keypass "change it" does not work, try with "changeit" (without space).
sdwebguy99 said on May 12, 2005 at 10:26 AM :
The first paragraph should read:

"To specify SSL v2 security, set the cfldap tag secure="cfssl_basic" attribute."

It is CFLDAP not CFLADAP.

 

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/ldap28.htm