[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP/TLS/389 works, LDAP/SSL/636 does not...



Hi Dave


My example:

int ldap_conn(LDAP *conn,char *h,int p,char *dn, char *pwd, int ssl, char *cafile)
{
int rc=0;
char* ldapuri=NULL;
int protocol=3;
LDAPURLDesc url;
memset( &url, 0, sizeof(url));
if (use_ssl) {
url.lud_scheme = "ldaps";
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, cafile);
if ( rc != LDAP_OPT_SUCCESS ) {
/* Output error */
conn = NULL;
return 0;
}
} else {
url.lud_scheme = "ldap";
}
url.lud_host = h;
url.lud_port = p;
url.lud_scope = LDAP_SCOPE_DEFAULT;
ldapuri = ldap_url_desc2str( &url );
rc = ldap_initialize( &conn, ldapuri );
if( rc != LDAP_SUCCESS ) {
conn = NULL;
/* Output error */
return 0;
}
rc = ldap_simple_bind_s(conn,bind_dn,password);
if (rc != LDAP_SUCCESS) {
/* Output error */
conn = NULL;
return 0;
}
return 1;
}


As on the command line, you need to go by ldaps://url stuff in order to do SSL. Then, it works without problems.


Dave Ewart wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've written the following example code to demonstrate a difficulty I am
having in coding LDAP connections over SSL:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ldap.h>
#include <lber.h>

int main() {
    LDAP *ld;
    int ret;
    int version = 3;
    char *ldaphost;
    char *binddn;
    char *bindpass;

    ldaphost="ldap0.our.domain";
    binddn="uid=anon,ou=People,dc=our,dc=domain";
    bindpass="mypassword";

    /* --------------------------------------------------------------------- */
    /* Variant #1 - using LDAP unencrypted on port 389 */

if ((ld = ldap_init(ldaphost, LDAP_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret)); /* Returns 'Success', so far so good */


ldap_unbind(ld);
// tcpdump of above shows DN and password in the clear, as expected
/* -------------------------------------------------------------------- */
/* Variant #2 - using LDAP over TLS on port 389 */


if ((ld = ldap_init(ldaphost, LDAP_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_start_tls_s(ld, NULL, NULL);
if (ret != LDAP_SUCCESS) {
printf("ldap_start_tls() %s",ldap_err2string(ret));
}
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret)); /* Returns 'Success', so far so good */


    ldap_unbind(ld);

// tcpdump of above shows presumably-encrypted traffic on port 389
/* ------------------------------------------------------------------ */
/* Variant #3 - using LDAP over SSL, port 636 */


if ((ld = ldap_init(ldaphost, LDAPS_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret)); /* **** ERROR: Returns "Can't contact LDAP server" **** */


    // tcpdump of above shows absolutely *no* traffic on port 636 *at* *all*

/* --------------------------------------------------------------- */
/* ldapsearch -D "uid=anon,ou=People,dc=our,dc=domain" -H
* ldaps://ldap0.our.domain -W -x *
* from the same system works absolutely fine */
/* --------------------------------------------------------------- */
}


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

What am I missing?  The ldaps connection does not even seem to connect
at all - there's no traffic visible on a tcpdump whatsoever.

All help much appreciated,

Thanks,

Dave.

- -- Dave Ewart
davee@our.domain
Computing Manager, Cancer Epidemiology Unit
Cancer Research UK / Oxford University
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.our.domain/~davee/davee-our.domain.asc
N 51.7518, W 1.2016
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)


iD8DBQFE/9AqbpQs/WlN43ARAvQwAKCx+RP7v8l1B8baLVNzXm7hBPbHsQCgxBYQ
Bf//hDqEz3W90AYxWBnaiKc=
=EMAp
-----END PGP SIGNATURE-----