[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP issues when connecting over SSL



On Monday 22 January 2007 11:17, S Kalyanasundaram wrote:
> Hi,
>   I am trying to do authentication with openldap using TLS. The flowing
> program works fine if the ldap_port is 389. But if i mention 636 it gives
> me the error can't contact the ldap server. I use slapd 2.3.19 and SLES.
> Does the openldap by default listen on 636?
No. You need to tell it what interfaces/ports it should listen on. (Hint: 
the -h option of the slapd binary, see the slapd(8) man-page for details)
Note: On SUSE you can also set OPENLDAP_START_LDAPS="yes" in the 
file /etc/sysconfig/openldap, then the init-script will start the server so 
that it listen for ldaps-Connections on port 636.
For ldaps to work you need of course a server certificate in place and 
configured for details on how to do that you might want to look here:
http://www.openldap.org/doc/admin23/tls.html 
and here:
http://www.openldap.org/faq/data/cache/185.html

> or do i need to pass the 
> certificate must. (If in that case can you please point out some link).
> What i am missing here. Anybody please help me on this.
>
> thanks for your all help.
>
>
> #include<ldap.h>
> #include<stdio.h>
>
> int main() {
>   static LDAP * ld = NULL;
>   static char ldap_server[30] = "My.Ip.Add.ress",
>     ldap_username[30] = "cn=admin,o=domain",
>     ldap_password[30] = "pwd",
>     ldap_base_dn[30] = "o=domain";
>   static int ldap_port = 636;
>   int version,ret;
>
>   LDAPMessage * ldres, * hostres, * ent, * hostent;
>   char hfilter[100] = "(&(objectClass=User)(cn=kalyan))";
>   char * hostdn;
>
>
>   if ((ld = ldap_init (ldap_server, ldap_port)) == NULL)
>     {
>       fprintf (stderr,"Error:Cannot init ldap session to %s\n",
> ldap_server); return -1;
>     }
>   version = LDAP_VERSION3;
>   if ((ret = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)) !=
> LDAP_OPT_SUCCESS) {
>       fprintf(stderr,"Cannot set LDAP version to %d: %s", version,
>                  ldap_err2string (ret));
>     }
>
>   if((ret == ldap_start_tls_s(ld,NULL,NULL)) != LDAP_SUCCESS) {

Note, you are trying to connect to port 636 with is normally used for ldaps 
connections. If your server is configured to listen for ldaps on port 636, 
then you should to call ldap_start_tls_s() for that connection as an SSL/TLS 
session is already established before the START_TLS operations is processed.

>     fprintf(stderr, "Cannot not start TLS, err value is
> %s\n",ldap_err2string(ret)); return 1;
>   }
>
>   if(( ret = ldap_simple_bind_s(ld, ldap_username, ldap_password)) !=
> LDAP_SUCCESS){ fprintf(stderr,"ERROR cant login to ldap server
> %s",ldap_err2string(ret)); return -1;
>   }
>
>   if((ret = ldap_search_s(ld, ldap_base_dn,
> LDAP_SCOPE_SUBTREE,hfilter,NULL,0,&hostres)) != LDAP_SUCCESS) {
>       fprintf(stderr,"Cannot find entry");
>       return -1;
>     }
>
>   if((hostent = ldap_first_entry(ld, hostres))== NULL) {
>     fprintf(stderr, "No matchinh entry found");
>     return -1;
>   }
>
>   hostdn = ldap_get_dn(ld,hostent);
>   printf("\n Result is out succssfully:%s\n",hostdn);
>   return 1;
> }
>
>
> -Kalyan

-- 
regards,
	Ralf Haferkamp

SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg