Configuring LDAP on iPhone 3.0

[Cannot Connect Using SSL]Another new feature in iPhone 3.0 software update is a built-in LDAP client. Previously, a third-party app such as Directory or LDAPeople is required.

To configure LDAP:

  1. Go to Settings > Mail, Contacts, Calendars
  2. Tap "Add Account...", then "Other"
  3. Under Contacts, "Add LDAP Account"
  4. Enter account information:
    • Server: ldap.company.com
    • User Name: [e.g. cn=First Last (employee ID), ou=people, dc=company,dc=com]
    • Password: [your password]
    • Description: [e.g. book]
  5. Tap "Next"

Unfortunately, it doesn't work with Sun's book.sun.com. It gives a "Cannot Connect Using SSL" error. A reader already reported that this could be due to lack of ca-cert three months ago so looks like this might be an open iPhone bug.

Come to think of it, this could be an underlying OS X bug. Using the Address Book app in OS X 10.5 configured for book.sun.com, if "Allow self-signed certificates" is checked, lookup works; if it is unchecked, lookup fails, even though book.sun.com has a legitimate chained cert with Versign as CA.

In the meantime, if you want to use LDAPS on iPhone 3.0, the workaround is to buy a third-party app.


[UPDATE Jun 23, 2009] Bug ID# 7000490 filed with Apple.

Comments:

yeah I can't use this either and I usually have to tell LDAP software to just accept our cert (because it's a GoDaddy chained cert, which trips up many SSL implementations and cert setups, ime).

Posted by Chris Jones on June 18, 2009 at 08:24 AM PDT #

If you want, try bundling the certs and allowing trust using the iPhone Config Utility.

Posted by Chris on June 18, 2009 at 01:37 PM PDT #

@Chris I've installed the root CA cert, the intermediary CA cert, as well as the server cert on my iPhone, but still getting the error. Can you elaborate? Which certs should I bundle and how do I bundle them?

Posted by Robert Chien on June 19, 2009 at 11:45 AM PDT #

With OS3.0 you've no need to use the iPhone Config Utility to add certs, you simply need to point the iPhone safari browser at the certs uploaded to a web site and click on them, and you will be prompted to trust and add them.

I added the certs for for both the production addressbook and the ITCTO instance, but still get the same SSL connection issue.

Posted by Michael on June 23, 2009 at 03:13 AM PDT #

At least in my case the additional failure after installing the cert is that the phone doesn't want to do LDAP+TLS, just SSL+LDAP.

Posted by Chris Jones on June 28, 2009 at 08:46 PM PDT #

Hi Robert
Your blog giving very good contain about Configuring LDAP on iPhone 3.0.I like it.
Well Well another thing going to be ruined….

Posted by Nikhil on July 21, 2009 at 10:12 PM PDT #

Hi Robert, can you provide any update on the Apple bug? I've been dealing w/ Apple trying to work around this on an OpenLDAP server w/ a wildcard cert and haven't gotten much further.

Chris Jones, can you clarify further on the LDAP+TLS vs SSL+LDAP? My understanding is that LDAP on port 636 ( LDAPS:// ) is SSL+LDAP vs LDAP+TLS which is over standard LDAP:// port?

Posted by Dennis Q on August 10, 2009 at 06:05 PM PDT #

Thanks - Your blog helped me get my google calendar on my iphone, but I still can't seem to get my gmail contacts coming through - any ideas? I've tried Add Account, but don't know the LDAP settings for gmail...

Posted by Michelle on August 13, 2009 at 10:15 PM PDT #

@Dennis Q the Apple bug is still open, and engineering is actively working it as far as I can tell.

@Michelle I don't think Gmail Contacts are accessible via LDAP.

Posted by Robert Chien on August 14, 2009 at 03:29 AM PDT #

@Michelle - for Google contacts and calendar, checkout Google Sync (www.google.com/sync) (basically configure iPhone MS Exchange settings which gives you your google calendars and contacts)

Posted by Darren on August 19, 2009 at 02:36 AM PDT #

The iPhone only allows one Exchange connection, which I currently use to connect to my company's Exchange. GMail of course I can access through IMAP, but Contacts would be really key as I previously used Google Sync on my BlackBerry and was using it through Exchange on my iPhone prior to adding my work account.

Is there any other way for me to sync my Google contacts on my iPhone over the air? LDAP looks ideal...

Posted by Sumit on August 25, 2009 at 10:04 AM PDT #

Did anybody get this working yet? Maybe 3.1 fixed the problem. I can't try it because I haven't installed 3.1 yet.

It would be realy cool if this feature actually worked...

Posted by Romke on September 23, 2009 at 06:34 AM PDT #

@Romke I confirmed it is not fixed in 3.1.

Apple responded in my bug report that in order for them to verify this bug, they need a test account on our corporate LDAP server. This is unlikely to happen, so if any of you can provide Apple with a test account, please contact me privately. My email addr is myfirstname.mylastname@sun.com.

Posted by Robert Chien on September 23, 2009 at 10:14 AM PDT #

@Dennis Q, you are correct. SSL+LDAP (LDAPS://) is on port 636; LDAP+TLS and regular LDAP both run over port 389 -- the different is whether one sends a STARTTLS command as well.

@Everyone else, I'm curious if \*anyone\* has a certificate that works. I ask because it would help narrow down the problem field. I don't know that it's simply the self-signed certificate that would be the problem because every root CA certificate is going to be self-signed. So, I think the issue may be whether the root CA is using a version 1 or a version 3 certificate.

To root CA of GoDaddy (mentioned above) is ValiCert. ValiCert uses a V1 cert for their root. The root CA of book.sun.com is VeriSign Class 3, which also uses a V1 cert. (Many root CAs have V1 certs because they existed before V3 certs were commonplace -- and because root CAs generally don't need extensions either.)

So, can anyone confirm this bug happens with a root CA that uses a Version 3 certificate?

Posted by Willie on December 17, 2009 at 10:20 AM PST #

I just answered my own previous question and verified that it does NOT work with v3 certificates at the root either.

Posted by Willie on December 17, 2009 at 01:34 PM PST #

I have a Linux server with Apache/Dovecot/Postfix/OpenLDAP installed (all of them with SSL/TLS support enabled). All SSL connections are working fine with all of those products under different platforms & software except one: LDAP on iPhone 3GS (3.11).

A further analysis of transactions between my iPhone and my server shows this: "TLS trace: SSL3 alert read:fatal:unknown CA".

It seems iPhone can't use or does not recognize my certificate (self-signed).

Posted by Romain Liévin on December 19, 2009 at 09:56 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

I currently live in San Francisco Bay Area. For the past seven years, I have been designing and building messaging solutions for Sun.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today