-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've written the following example code to demonstrate a difficulty I am
having in coding LDAP connections over SSL:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ldap.h>
#include <lber.h>
int main() {
LDAP *ld;
int ret;
int version = 3;
char *ldaphost;
char *binddn;
char *bindpass;
ldaphost="ldap0.our.domain";
binddn="uid=anon,ou=People,dc=our,dc=domain";
bindpass="mypassword";
/* --------------------------------------------------------------------- */
/* Variant #1 - using LDAP unencrypted on port 389 */
if ((ld = ldap_init(ldaphost, LDAP_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret));
/* Returns 'Success', so far so good */
ldap_unbind(ld);
// tcpdump of above shows DN and password in the clear, as expected
/* -------------------------------------------------------------------- */
/* Variant #2 - using LDAP over TLS on port 389 */
if ((ld = ldap_init(ldaphost, LDAP_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_start_tls_s(ld, NULL, NULL);
if (ret != LDAP_SUCCESS) {
printf("ldap_start_tls() %s",ldap_err2string(ret));
}
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret));
/* Returns 'Success', so far so good */
ldap_unbind(ld);
// tcpdump of above shows presumably-encrypted traffic on port 389
/* ------------------------------------------------------------------ */
/* Variant #3 - using LDAP over SSL, port 636 */
if ((ld = ldap_init(ldaphost, LDAPS_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret));
/* **** ERROR: Returns "Can't contact LDAP server" **** */
// tcpdump of above shows absolutely *no* traffic on port 636 *at* *all*
/* --------------------------------------------------------------- */
/* ldapsearch -D "uid=anon,ou=People,dc=our,dc=domain" -H
* ldaps://ldap0.our.domain -W -x
*
* from the same system works absolutely fine */
/* --------------------------------------------------------------- */
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
What am I missing? The ldaps connection does not even seem to connect
at all - there's no traffic visible on a tcpdump whatsoever.
All help much appreciated,
Thanks,
Dave.
- --
Dave Ewart
davee@our.domain
Computing Manager, Cancer Epidemiology Unit
Cancer Research UK / Oxford University
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.our.domain/~davee/davee-our.domain.asc
N 51.7518, W 1.2016
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE/9AqbpQs/WlN43ARAvQwAKCx+RP7v8l1B8baLVNzXm7hBPbHsQCgxBYQ
Bf//hDqEz3W90AYxWBnaiKc=
=EMAp
-----END PGP SIGNATURE-----