[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL connection using libLDAP [Even More Questions]

To: openldap-software@OpenLDAP.org
Subject: Re: SSL connection using libLDAP [Even More Questions]
From: Alexander Hartner <alex@j2anywhere.com>
Date: Tue, 21 Mar 2006 09:04:45 +0000
Cc: Daniel Knauth <dk@krachbumm.de>
In-reply-to: <441E66B4.9070706@j2anywhere.com>
References: <2F3110C2-3E9C-443D-B9A8-D184A6EC43B4@j2anywhere.com> <7.0.1.0.0.20060317204042.03352ad0@OpenLDAP.org> <727D80C3-E86F-427A-81E5-456B5F974061@j2anywhere.com> <7.0.1.0.0.20060318073915.021e1220@OpenLDAP.org> <8DF5F697-B9B0-41AC-9E03-7C89E98B5A38@j2anywhere.com> <441E66B4.9070706@j2anywhere.com>

After some searching, I figured out that I don't actually need to invoke ldap_start_tls_s(ldap, NULL, NULL); after having invoked ldap_initialize(&ldap,"ldaps://..."); From Kurt's first response I gathered that this mean I am using the non-standard approach.

OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism.

I then tried to ldap_initialize(&ldap,"ldap://...";); (Without the 's') and to use the following:

e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/openldap/ cacert.pem"); ldap_perror(ldap, "SETTING CACERTIFICATE FILE"); ldap_start_tls_s(ldap, NULL, NULL); ldap_perror(ldap, "LDAP STARTING TLS");

But this did not work and failed with the following errors:

LDAP INITIALISED: Success (0)
LDAP VERSION 3 SET: Success (0)
SETTING CACERTIFICATE FILE: Success (0)
LDAP STARTING TLS: Can't contact LDAP server (-1)
LDAP BOUND: Can't contact LDAP server (-1)

Seeing that the non-standard way it working for me it's not really a big problem. I just would like to understand this better.

Kind regards

Alexander Hartner
alex@j2anywhere.com


On 20 Mar 2006, at 08:24, Alexander F. Hartner wrote:

After getting it working I have one more question. Currently I am setting the path to the CACERT file manually.

Is it possible to read the certificate from a different source, such as a database or external io stream. Having to configure a seperate file for my application is not so nice.
Would it be possible to switch certificate validation off maybe ?
Ideally I would like to be able to connect to any LDAP / LDAPS directory without having to configure files outside my application.
Thanks
Alex
Alexander Hartner wrote:
Thanks Kurt,
I have it working now. Even though the example is in ObjectiveC, it might be helpful to other.

if ([connectionDetail sslEnabled]) { NSString * url = [NSString stringWithFormat:@"ldaps://%@:% @ ",hostname,[port stringValue]]; NSLog(@"Using SSL URL : %@\n",url); ldap_initialize(&ldap,[url cString]); } else { NSString * url = [NSString stringWithFormat:@"ldap://%@:% @ ",hostname,[port stringValue]]; NSLog(@"Using URL : %@\n",url); ldap_initialize(&ldap,[url cString]); } ldap_perror(ldap, "LDAP INITIALISED"); const int ldap_version=LDAP_VERSION3; int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version); ldap_perror(ldap, "LDAP VERSION 3 SET");

if ([connectionDetail sslEnabled]) { e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ openldap/ cacert.pem"); ldap_perror(ldap, "SETTING CACERTIFICATE FILE"); ldap_start_tls_s(ldap, NULL, NULL); ldap_perror(ldap, "LDAP STARTING TLS"); } e = ldap_simple_bind_s(ldap, [username cString], [password cString]); ldap_perror(ldap, "LDAP BOUND"); char * errorMessage = ldap_err2string(e);
Tx
Alexander Hartner
alex@j2anywhere.com
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
  - The Tao of Programming
On 18 Mar 2006, at 15:39, Kurt D. Zeilenga wrote:
At 01:00 AM 3/18/2006, you wrote:
Hi Kurt,
I tried to look for the man pages, but can't find them anywhere. They don't seem to be included on OS X, Gentoo or the website.
[]
I had a look at the examples (clients/tools) and I modified my code. I hope I have the sequence right ? I call the following function as follows:

1.)ldap_init 2.)ldap_set_options (Version 3,... ) I think I need to set the CACERTFILE here. But I don't know what option to set. I am also hoping for an option to accept self signed certificates without having to specify a CA. 3.)ldap_start_tls_s 4.)ldap_simple_bind_s

It doesn't work yet, because I don't know what options to set. If you have the man pages could you please email them to me. Thanks for your help
Alexander Hartner
<mailto:alex@j2anywhere.com>alex@j2anywhere.com
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
 - The Tao of Programming
On 18 Mar 2006, at 04:46, Kurt D. Zeilenga wrote:
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism.  In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL.  In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)).  See the client/tools for example code.
- Kurt
At 03:56 PM 3/17/2006, Alexander Hartner wrote:
I am trying to connect to my LDAP directory using libLDAP. With SSL disable the following code works, but since I switched SSL on it breaks.

ldap = ldap_init([hostname cString], [port intValue]); ldap_perror(ldap, "LDAP INITIALISED"); const int version = 3; int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version); ldap_perror(ldap, "LDAP VERSION 3 SET");

e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
      char * errorMessage = ldap_err2string(e);
      ldap_perror(ldap, "LDAP BOUND");
The error reported is :
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find what I need to modify for SSL to work.
Thanks
Alexander Hartner
<mailto:alex@j2anywhere.com>alex@j2anywhere.com
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
This is a form letter.  Due to the volume of email I receive, I
cannot personally respond to each message directed to my mailbox.
If your message concerns the use of OpenLDAP Software, I suggest
that you post your message to the most appropriate mailing list
(which is not necessarily an OpenLDAP mailing list).
        http://www.openldap.org/lists/
If your message is a general LDAP question, I suggest you use
the U-Mich LDAP mailing list <ldap@umich.edu>.
I do often answer questions that are asked in public forums.  I
do this for the benefit of the community.  As taking discussions
off list only affords the enquirer the benefit of my response,
I ask that you ask whatever follow-up questions you might have
in the public forum.
Regards, Kurt

References:
- SSL connection using libLDAP
  - From: Alexander Hartner <alex@j2anywhere.com>
- Re: SSL connection using libLDAP
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: SSL connection using libLDAP [RESOLVED]
  - From: Alexander Hartner <alex@j2anywhere.com>
- Re: SSL connection using libLDAP [More Questions]
  - From: "Alexander F. Hartner" <alex@j2anywhere.com>

Prev by Date: Re: problem with smbk5pwd
Next by Date: Re: Password encryption (crypt) incompatibility
Index(es):
- Chronological
- Thread