[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to force SSL (not STARTTLS) using environment variables in OpenLDAP 2.3.x



Hi!

I'm wondering how one can force the usage of SSL (not STARTTLS) through environment variables for OpenLDAP 2.3.x?

This is for a client application (FTP daemon run on a per-connection basis) which does not accept LDAP URIs in its configuration, and an LDAP server which does not support STARTTLS.


In 2.1.x, one could set LDAPTLS and LDAPTLS_CACERT to get this working. An example using ldapsearch:


---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools# LDAPTLS=hard LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ldapsearch -h ldapauth1.uu.se -p 636 -s sub -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d 10 -L -L uid=bwiberg_hotel sn
ldap_init( ldapauth1.uu.se, 636 )
request 1 done
filter: uid=bwiberg_hotel
requesting: sn
version: 1


dn: uid=bwiberg_hotel,ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
sn: Wiberg
request 2 done
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
--->8---

...and if one did not set either one of those, one got:

---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ldapsearch -h ldapauth1.uu.se -p 636 -s sub -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d 10 -L -L uid=bwiberg_hotel sn ldap_init( ldapauth1.uu.se, 636 )
ldap_bind: Local error (82)


root@spinus:/usr/local/src/openldap-2.1.29/clients/tools# LDAPTLS=hard ldapsearch -h ldapauth1.uu.se -p 636 -s sub -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d 10 -L -L uid=bwiberg_hotel sn
ldap_init( ldapauth1.uu.se, 636 )
TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect.
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--->8---



However, OpenLDAP 2.3.32 does not recognize LDAPTLS=hard any longer:

---8<---
root@spinus:/usr/local/src/openldap-2.3.32/clients/tools# LDAPTLS=hard LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -h ldapauth1.uu.se -p 636 -s sub -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d 10 -L -L uid=bwiberg_hotel sn
ldap_initialize( ldap://ldapauth1.uu.se:636 )
(hexdump cut out)
ldap_read: want=8, got=5
0000: 80 03 00 00 01 .....
ldap_result: Local error (-2)
--->8---


Setting LDAPTLS_REQCERT=hard + LDAPTLS_CACERT, or even LDAPTLS=hard + LDAPTLS_REQCERT=hard + LDAPTLS_CACERT, gives the same error. That is, LDAPTLS_REQCERT=hard does not force SSL as LDAPTLS=hard once did.

Setting LDAPURI="ldaps://ldapauth1.uu.se:636/", not specifying a host name and port number (-h, -p), and optionally skipping LDAPTLS or LDAPTLS_REQCERT, works:

---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
LDAPURI="ldaps://ldapauth1.uu.se:636/"
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -s sub
-b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x
-v -d 20 -L -L uid=bwiberg_hotel sn
ldap_initialize( <DEFAULT> )
request 1 done
filter: uid=bwiberg_hotel
requesting: sn
version: 1

dn: uid=bwiberg_hotel,ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
sn: Wiberg
request 2 done

root@spinus:/usr/local/src/openldap-2.3.32/clients/tools# LDAPURI="ldaps://ldapauth1.uu.se:636/" LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -s sub -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -L -L uid=bwiberg_hotel sn
ldap_initialize( <DEFAULT> )
filter: uid=bwiberg_hotel
requesting: sn
version: 1


dn: uid=bwiberg_hotel,ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
sn: Wiberg
--->8---

...but as soon as one adds -h and -p, ldapsearch and/or libldap ignores LDAPURI and tries ldap:// instead of ldaps://. This is true both for 2.1.29 and 2.3.32:

---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
LDAPURI="ldaps://ldapauth1.uu.se:636/"
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -h
ldapauth1.uu.se -p 636 -s sub -b
ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v
-d 20 -L -L uid=bwiberg_hotel sn
ldap_init( ldapauth1.uu.se, 636 )
ldap_bind: Local error (82)

root@spinus:/usr/local/src/openldap-2.3.32/clients/tools# LDAPURI="ldaps://ldapauth1.uu.se:636/" LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -s sub -h ldapauth1.uu.se -p 636 -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -L -L uid=bwiberg_hotel sn
ldap_initialize( ldap://ldapauth1.uu.se:636 )
ldap_result: Local error (-2)
--->8---


...so "overriding" the specified hostname and port with a URI through environment variables seems impossible.


Could anyone give some piece of advice on how to force SSL as in the older versions, i.e. without LDAPURI or its -H ldapsearch counterpart?


As, sadly, my client application will always suggest a hostname and port number to connect to, in its calls to libldap, and does not have the ability to accept LDAP URIs in its configuration. The earlier environment variable solution was an easy work-around, and I would have hoped that this possibility would stay in future (> 2.1) versions...

Many thanks in advance!

Best regards,
Björn Wiberg
Uppsala University
IT Support Department