Please enable JavaScript to view this site.

The command ldap_getcerts() retrieves public S/MIME keys (certificates) from an LDAP directory service.

 

This command obtains public S/MIME keys (certificates) from an LDAP directory service for each recipient of an email.

The search filter for this is (mail=) and is not configurable.

 

Also see Key server.

 

Structure of the command

 

ldap_getcerts('ldap',['optional'],['require_validca']);

 

 

Return value

positive

always

 

Parameters

Variables available!

 

ldap

The parameter is structured as follows:

'URI;BindDN;Password;SearchBase'

The meaning of the individual part strings is described in the following table:

 

Parameters

Description

URI

Specifies the LDAP(s) server to be queried. The hostname or IP address is accepted as input. Several, comma-separated values can also be specified. In this case, the system automatically accesses the next server if the previous one cannot be reached.

 

empty

anchor link Note:

If more than one LDAP server is entered, a connection is established for each individual server. The connections are stored temporarily. The actual query is then executed in the server order entered until the query is successful. If a query was unsuccessful, the connection is removed from the cache. If there is no remaining connection in the cache, the connections are re-established.

BindDN

Input of the full distinguished name (DN) of the (read-only) account that is authorised to search the "SearchBase" in the LDAP directory.

Password

The password of the user specified under BindDN

 

empty

anchor link Note:

Semicolons ";" and backslashes "\" in the password must each be marked with a backslash as special character, i.e. "\;" and/or "\\".

For instance, the password

p4ss\w0rd;

would have to be entered as follows:

p4ss\\w0rd\;

SearchBase

Search path: Specifies the branch of the LDAP directory in which the attribute from the parameter 'attr' is to be searched.

 

optional (optional)

Determines the behaviour if the LDAP directory service cannot be reached

Possible values

true, yes or 1

if the LDAP server is unavailable, continues with ruleset processing without restriction

false, no or 0

Immediate termination (temporary rejection with code "420 could not bind to LDAP server $uri") if the LDAP server cannot be reached.

The default setting is 0

 

require_validca (optional)

Before obtaining the certificate, activates an additional check of the validity of the issuing CA (see also X.509 Root Certificates). If the certificate found does not originate from a trusted CA, it is neither transferred to the local certificate store (see X.509 Certificates) nor used for encryption.

Possible values

true, yes or 1

checks the validity of the issuing CA

false, no or 0

no check of the issuing CA

The default setting is 0

 

 

Example 1

Line

Code

01

ldap_getcerts('ldaps://ldap-directory.domain.tld;;;ou=pki-participant,dc=pki,dc=mycompany,dc=tld');

 

Explanation

The LDAP server accessible under the Fully Qualified Domain Name (FQDN) "ldap-directory.domain.tld" (on the standard port 636) is queried. A user (BindDN) with password to authorise the query is not necessary because the example makes use of a public LDAP directory service. The LDAP path in which the certificates are stored is ou=pki-participant,dc=pki,dc=domain,dc=tld

 
  

Keyboard Navigation

F7 for caret browsing
Hold ALT and press letter

This Info: ALT+q
Topic Header: ALT+t
Topic Body: ALT+b
Contents: ALT+c
Search: ALT+s
Exit Menu/Up: ESC