[API Proposal]: LdapSessionOptions.CaCertificates Property #104260

onmp · 2024-07-01T20:20:27Z

Background and motivation

This is to provide a way for those who may not have the privilege to administer the system CA certificates store or those who do not want to add entries to the system CA stores permanently be able to verify the server certificate.
This also addresses specifically that LdapSessionOptions.VerifyServerCertificates property is not supported on Linux and MAC OS for .NET CORE.

API Proposal

Definition

Namespace:
    System.DirectoryServices.Protocols 

Assembly:
    System.DirectoryServices.Protocols.dll

The property CaCertificate contains a X509CertificateCollection object with one or more CA certificates to use to verify server certificates when an SSL connection is established.

C#
public System.Security.Cryptography.X509Certificates.X509CertificateCollection CaCertificates { set; }

Property value
CaCertficates

CA certificates to verify server certificate.

### API Usage

```csharp

LdapDirectoryIdentifier identifier = new LdapDirectoryIdentifier("192.168.10.100", 3060, false, false);
using (LdapConnection ldapConnection = new LdapConnection(identifier))
            {
                ldapConnection.SessionOptions.ProtocolVersion = 3;
                ldapConnection.AuthType = AuthType.Basic; 
		ldapConnection.Credential = new NetworkCredential("admin", "SomePassword");
		ldapConnection.ClientCertificates.AddRange(myCert);
		ldapConnection.SessionOptions.CaCertificates.AddRange(CaCerts);
		ldapConnection.Bind();
	    }


### Alternative Designs

Have LdapSessionOptions.VerifyServerCertificates be functional.

### Risks

The risk is minimal because no current application is using this property.

dotnet-policy-service · 2024-07-01T20:20:46Z

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014
See info in area-owners.md if you want to be subscribed.

filipnavara · 2024-07-01T20:38:29Z

I think this is misguided. There's an existing API for certificate validation (LdapSessionOptions.VerifyServerCertificates) that follows established pattern used by other classes like SslStream or HttpClientHandler. The reason it's not implemented on non-Windows system is the lack or corresponding API in the native system LDAP library (*). The API proposed above would still suffer from the same underlying issue which is lack of certificate control at the lower level system API.

(*) See #60972 for details.

steveharter · 2024-07-03T20:12:42Z

Per offline discussion with @buyaa-n, moving to future. Please close if there is a valid alternative.

onmp added the api-suggestion Early API idea and discussion, it is NOT ready for implementation label Jul 1, 2024

dotnet-issue-labeler bot added the area-System.DirectoryServices label Jul 1, 2024

dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Jul 1, 2024

steveharter added this to the Future milestone Jul 3, 2024

steveharter added needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration and removed untriaged New issue has not been triaged by the area owner labels Jul 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[API Proposal]: LdapSessionOptions.CaCertificates Property #104260

[API Proposal]: LdapSessionOptions.CaCertificates Property #104260

onmp commented Jul 1, 2024

dotnet-policy-service bot commented Jul 1, 2024

filipnavara commented Jul 1, 2024

steveharter commented Jul 3, 2024

[API Proposal]: LdapSessionOptions.CaCertificates Property #104260

[API Proposal]: LdapSessionOptions.CaCertificates Property #104260

Comments

onmp commented Jul 1, 2024

Background and motivation

API Proposal

dotnet-policy-service bot commented Jul 1, 2024

filipnavara commented Jul 1, 2024

steveharter commented Jul 3, 2024