Rocket Uniface User Forum

 View Only

Lightweight Directory Access Protocol (LDAP) Settings

By Kathy Larson posted 03-29-2023 09:55


Created by Jasper de Keijzer


To improve the security of the LDAP driver on UNIX, we’ve updated the the driver to support network profiles defined in the Uniface ASN file. This means that in the NET_SETTINGS, you can define chapter ciphers and protocols in a profile; then you can refer to the profile in the driver settings. In this blog you’ll learn about what these settings do and how you can use these settings to improve the security of your environments. As a system administrator you can use the min_tls_version and the cipher_suite settings to set the minimum required protocol and cipher for the network connection, preventing the server from downgrading to a non-secure TLS version or cipher during a connection negotiation. 

The additional settings are only available on UNIX or Linux systems with the open LDAP installed.

The network security setup on Windows depends largely on the system setup and cannot be influenced by the net profile setting as described in this blog.

Current driver settings

The LDAP driver is created as a database driver and thus has the driver settings in the ASN file.

Here’s an example:

LDP = U3.0
USYS$LDP_PARAMS nulldefault=N, addbase=off

During a previous security update, we extended the driver settings with a TLS setting.

USYS$LDP_PARAMS nulldefault=N, addbase=off, TLS server validation=ignore_name

The settings:

USYS$LDP_PARAMS { = } tls ca file | tlscafil=PemFile

The pem file is the fully-qualified file name of the CA certificate in PEM format.

And we have the option to define the ca file directory.

USYS$LDP_PARAMS { = } tls ca directory | tlscadir =CaDir

New driver settings

For Linux and other UNIX systems, first, we introduce the settings min_tls_version and cipher_list. Then, in the driver settings string, we add the net_profile setting which points to a profile in the NET_SETTINGS chapter.

In the following example, we define a profile in the NET_SETTINGS and then we refer to it from the driver settings:

ldap_settings= verify_server=yes, verify_server_name=true, ca_certificate=/UNI1040120/ca-bundle.crt, min_tls_version=1.2,cipher_list=HIGH

LDP = U3.0
USYS$LDP_PARAMS nulldefault=N, addbase=off, net_profile=”ldap_settings”

Important notice

When a profile is defined, and one of the mentioned settings is found in the profile, all network related driver-options are ignored. Also, when one of the network options is found in the network profile, the LDAP driver will switch to a TLS connection.

Mappings in the settings explained

The following table gives an overview of the existing driver settings and the network profile settings which replace the associated driver settings when a net_profile is used. As mentioned in the notice, when one of the options in the second column is found in the used network profile, the LDAP driver will switch to TLS and ignore the settings mentioned in the first column of this table. 

LDAP driver setting

Net settings

Description and Open LDAP setting



Directory containing the CA certificates with hashed file names. Sets the path of the directories containing CA certificates. 




Sets/ the full-path of the CA certificate file.



1.1 | 1.2 (default)

Open LDAP does not yet support version 1.3.

tls server validation = validate | ignore_name

Verify_server = no (default) | yes

Disable server certificate validation when set to “no”.

Maps to the “validate” option when set to “yes”

tls server validation = validate|ignore_name

Verify_server_name = no (default) | yes

Maps to the “ignore_name” option when set to “no”


Defines the list of ciphers used in the connection.  Or options like ALL | DEFAULT | LOW | MEDIUM | HIGH


If you have any comments or questions, please start a discussion in the Uniface forums.

Here are some useful links to documentation on the mentioned options:

LDAP Connector options