Configuring LDAP on iPhone 3.0
![[Cannot Connect Using SSL]](http://blogs.sun.com/chienr/resource/cannot-connect-using-ssl.png)
Another new feature in iPhone 3.0 software update is a built-in LDAP client. Previously, a third-party app such as Directory or LDAPeople is required.
To configure LDAP:
- Go to Settings > Mail, Contacts, Calendars
- Tap "Add Account...", then "Other"
- Under Contacts, "Add LDAP Account"
- Enter account information:
- Server: ldap.company.com
- User Name: [e.g. cn=First Last (employee ID), ou=people, dc=company,dc=com]
- Password: [your password]
- Description: [e.g. book]
- Tap "Next"
Unfortunately, it doesn't work with Sun's book.sun.com. It gives a "Cannot Connect Using SSL" error. A reader already reported that this could be due to lack of ca-cert three months ago so looks like this might be an open iPhone bug.
Come to think of it, this could be an underlying OS X bug. Using the Address Book app in OS X 10.5 configured for book.sun.com, if "Allow self-signed certificates" is checked, lookup works; if it is unchecked, lookup fails, even though book.sun.com has a legitimate chained cert with Versign as CA.
In the meantime, if you want to use LDAPS on iPhone 3.0, the workaround is to buy a third-party app.
[UPDATE Jun 23, 2009] Bug ID# 7000490 filed with Apple.
yeah I can't use this either and I usually have to tell LDAP software to just accept our cert (because it's a GoDaddy chained cert, which trips up many SSL implementations and cert setups, ime).
Posted by Chris Jones on June 18, 2009 at 03:24 PM PDT #
If you want, try bundling the certs and allowing trust using the iPhone Config Utility.
Posted by Chris on June 18, 2009 at 08:37 PM PDT #
@Chris I've installed the root CA cert, the intermediary CA cert, as well as the server cert on my iPhone, but still getting the error. Can you elaborate? Which certs should I bundle and how do I bundle them?
Posted by Robert Chien on June 19, 2009 at 06:45 PM PDT #
With OS3.0 you've no need to use the iPhone Config Utility to add certs, you simply need to point the iPhone safari browser at the certs uploaded to a web site and click on them, and you will be prompted to trust and add them.
I added the certs for for both the production addressbook and the ITCTO instance, but still get the same SSL connection issue.
Posted by Michael on June 23, 2009 at 10:13 AM PDT #
At least in my case the additional failure after installing the cert is that the phone doesn't want to do LDAP+TLS, just SSL+LDAP.
Posted by Chris Jones on June 29, 2009 at 03:46 AM PDT #
Hi Robert
Your blog giving very good contain about Configuring LDAP on iPhone 3.0.I like it.
Well Well another thing going to be ruined….
Posted by Nikhil on July 22, 2009 at 05:12 AM PDT #
Hi Robert, can you provide any update on the Apple bug? I've been dealing w/ Apple trying to work around this on an OpenLDAP server w/ a wildcard cert and haven't gotten much further.
Chris Jones, can you clarify further on the LDAP+TLS vs SSL+LDAP? My understanding is that LDAP on port 636 ( LDAPS:// ) is SSL+LDAP vs LDAP+TLS which is over standard LDAP:// port?
Posted by Dennis Q on August 11, 2009 at 01:05 AM PDT #
Thanks - Your blog helped me get my google calendar on my iphone, but I still can't seem to get my gmail contacts coming through - any ideas? I've tried Add Account, but don't know the LDAP settings for gmail...
Posted by Michelle on August 14, 2009 at 05:15 AM PDT #
@Dennis Q the Apple bug is still open, and engineering is actively working it as far as I can tell.
@Michelle I don't think Gmail Contacts are accessible via LDAP.
Posted by Robert Chien on August 14, 2009 at 10:29 AM PDT #
@Michelle - for Google contacts and calendar, checkout Google Sync (www.google.com/sync) (basically configure iPhone MS Exchange settings which gives you your google calendars and contacts)
Posted by Darren on August 19, 2009 at 09:36 AM PDT #
The iPhone only allows one Exchange connection, which I currently use to connect to my company's Exchange. GMail of course I can access through IMAP, but Contacts would be really key as I previously used Google Sync on my BlackBerry and was using it through Exchange on my iPhone prior to adding my work account.
Is there any other way for me to sync my Google contacts on my iPhone over the air? LDAP looks ideal...
Posted by Sumit on August 25, 2009 at 05:04 PM PDT #
Did anybody get this working yet? Maybe 3.1 fixed the problem. I can't try it because I haven't installed 3.1 yet.
It would be realy cool if this feature actually worked...
Posted by Romke on September 23, 2009 at 01:34 PM PDT #
@Romke I confirmed it is not fixed in 3.1.
Apple responded in my bug report that in order for them to verify this bug, they need a test account on our corporate LDAP server. This is unlikely to happen, so if any of you can provide Apple with a test account, please contact me privately. My email addr is myfirstname.mylastname@sun.com.
Posted by Robert Chien on September 23, 2009 at 05:14 PM PDT #