Does anybody have some sample code of how to
use LDAP_OPT_X_TLS_ALLOW in a client
program with ldap_start_tls_s ?
Is it a bug if it doesn't work ?
Thank you
Markus
----- Original Message -----
Sent: Friday, June 08, 2007 11:00
PM
Subject: [-SPAM-] Question about
ldap_init, ldap_initialize, start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL
I am new to
Openldap and TLS/SSL. I have two small test programs (see details
below). The first uses ldap_init the second ldap_initalize. My observation
is:
1) Using ldap_init, ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW
(empty ldap.conf) It does not connect on port 389 nor
636
2) Using ldap_init,ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW
(emprty ldap.conf and only TLS_REQCERT ALL in ldaprc)
It does not connect on port 636 but it does on port 389
3) Using
ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty
ldap.conf) It does not connect on port 389 nor
636
4) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty
ldap.conf and
only TLS_REQCERT ALL in
ldaprc) It does not connect on
port 389 but it does on port 636
My first question is why
does
val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld,
LDAP_OPT_X_TLS, &val);
not work ?
Secondly why behaves
ldap_init different to ldap_initialize ?
Thirdly what do I need to do
to be able to use TLS/SSL on either port 389 or 636 ?
Thank
you Markus
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ldap_debug
= -1 /*LDAP_DEBUG_ANY */ ; (void) ldap_set_option(NULL,
LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
if (strstr(argv[1],"://") )
{ hostname=strstr(argv[1],"://")+3;
ssl=strstr(argv[1],"ldaps://"); host=strdup(hostname);
port=389; if ((p=strchr(host,':')))
{ *p='\0';
p++; port=atoi(p);
} } ld = (LDAP *)ldap_init(host,port); val =
LDAP_VERSION3; (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&val); (void)ldap_set_option(ld, LDAP_OPT_REFERRALS ,
LDAP_OPT_ON); ldap_start_tls_s(ld, NULL, NULL); val =
LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS,
&val); . . .
./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection
1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP
w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket:
4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd:
4 tm: -1 async: 0 ldap_open_defconn:
successful ldap_send_server_request ldap_result ld 8065c90 msgid
1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList
returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite
timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90
Connections: * host: w2k3.windows2003.home port: 636
(default) refcnt: 2 status: Connected last used: Tue
Jun 5 23:02:11 2007
** ld 8065c90 Outstanding
Requests: * msgid 1, origid 1, status
InProgress outstanding referrals 0, parent count 0 ** ld
8065c90 Response Queue: Empty ldap_chkResponseList ld
8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90
NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 ber_get_next
failed. ldap_err2string ldap_test Error while setting start_tls for ldap
server: Can't contact LDAPserver ldap_free_request (origid 1, msgid
1)ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection:
actually freed
./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd ldap_createldap_extended_operation_s ldap_extended_operation ldap_send_initial_requestldap_new_connection
1 1 0 ldap_int_open_connectionldap_connect_to_host:
TCP w2k3.windows2003.home:389 ldap_new_socket: 4 ldap_prepare_socket:
4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd:
4 tm: -1 async: 0 ldap_open_defconn:
successful ldap_send_server_request ldap_result ld 8065c90 msgid
1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList
returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite
timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90
Connections: * host: w2k3.windows2003.home port: 389
(default) refcnt: 2 status: Connected last used: Tue
Jun 5 23:00:34 2007 ** ld 8065c90 Outstanding Requests: *
msgid 1, origid 1, status InProgress outstanding
referrals 0, parent count 0 ** ld 8065c90 Response Queue:
Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList
returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all
1 read1msg: ld 8065c90 msgid 1 message type extended-result new
result: res_errno: 0, res_error: <>, res_matched:
<> read1msg: ld 8065c90 0 new referrals read1msg: mark
request completed, ld 8065c90 msgid 1 request done: ld 8065c90 msgid
1 res_errno: 0, res_error: <>, res_matched:
<> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0
1 ldap_free_connection: refcnt
1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS
trace: SSL_connect:before/connect initialization TLS trace:
SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read
server hello A TLS certificate verification: depth: 0, err:
20, subject:/CN=w2k3.windows2003.home, issuer:/DC=home/DC=windows2003/CN=Windows2003CA TLS
certificate verification: Error, unable to get local
issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS
trace: SSL_connect:error in SSLv3 read server certificate B TLS trace:
SSL_connect:error in SSLv3 read server certificate B TLS: can't
connect. ldap_err2string ldap_free_connection 1
1 ldap_send_unbind ldap_free_connection: actually freed
With
~/.ldaprc
TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd ldap_createldap_extended_operation_sldap_extended_operationldap_send_initial_requestldap_new_connection 1
1 0ldap_int_o pen_connection ldap_connect_to_host: TCP
w2k3.windows2003.home:389 ldap_new_socket: 4ldap_prepare_socket:
4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd:
4 tm: -1 async: 0ldap_open_defconn:
successful ldap_send_server_request ldap_result ld 8065c90 msgid
1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList
returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite
timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90
Connections: * host: w2k3.windows2003.home port: 389
(default) refcnt: 2 status: Connected last used: Tue
Jun 5 23:04:26 2007
** ld 8065c90 Outstanding Requests: *
msgid 1, origid 1, status InProgress outstanding
referrals 0, parent count 0 ** ld 8065c90 Response Queue:
Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList
returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all
1 read1msg: ld 8065c90 msgid 1 message type extended-result new
result: res_errno: 0, res_error: <>, res_matched:
<> read1msg: ld 8065c90 0 new referrals read1msg: mark
request completed, ld 8065c90 msgid 1 request done: ld 8065c90 msgid
1res_errno: 0, res_error: <>,
res_matched: <> ldap_free_request (origid 1, msgid
1) ldap_free_connection 0 1 ldap_free_connection: refcnt
1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS
trace: SSL_connect:before/connect initialization TLS trace:
SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read
server hello A TLS certificate verification: depth: 0, err:
20, subject:/CN=w2k3.windows2003.home,
issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate
verification: Error, unable to get local issuer certificateTLS certificate
verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home,
issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate
verification: Error, certificate not trusted TLS certificate verification:
depth: 0, err: 21, subject:/CN=w2k3.windows2003.home,
issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate
verification: Error, unable to verify the first certificate TLS trace:
SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3
read server certificate request A TLS trace: SSL_connect:SSLv3 read server
done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS
trace: SSL_connect:SSLv3 write client key exchange A TLS trace:
SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3
write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace:
SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad
certificate TLS: unable to get peer
ertificate. ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ldap_result
ld 8065c90 msgid 2 ldap_chkResponseList ld 8065c90 msgid 2 all
1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid
2 (infinite timeout) wait4msg continue ld 8065c90 msgid 2 all 1 ** ld
8065c90 Connections: * host: w2k3.windows2003.home port: 389
(default) refcnt: 2 status: Connected last used: Tue
Jun 5 23:04:26 2007 ** ld 8065c90 Outstanding Requests: * msgid
2, origid 2, status InProgress outstanding referrals 0,
parent count 0 ** ld 8065c90 Response Queue:
Empty
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ldap_debug = -1 /*LDAP_DEBUG_ANY */ ; (void) ldap_set_option(NULL,
LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
ldap_initialize(ld,argv[1]); val = LDAP_VERSION3;
(void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val);
(void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); val =
LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld,LDAP_OPT_X_TLS,
&val); . . .
./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection
1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP
w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket:
4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd:
4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect
initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS
trace: SSL_connect:SSLv3 read server hello A TLS certificate verification:
depth: 0, err:
20, subject:/CN=w2k3.windows2003.home, issuer:/DC=home/DC=windows2003/CN=Windows2003CA TLS
certificate verification: Error, unable to get local
issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS
trace: SSL_connect:error in SSLv3 read server certificate B TLS trace:
SSL_connect:error in SSLv3 read server certificate B TLS: can't
connect. ldap_err2string Can'tcontact LDAP server
./ldap_test
ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:389) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection
1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP
w2k3.windows2003.home:389 ldap_new_socket: 4 ldap_prepare_socket:
4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd:
4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect
initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS:
can't connect. ldap_err2string Can'tcontact LDAP server
With
~/.ldaprc TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection
1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP
w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket:
4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd:
4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect
initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS
trace: SSL_connect:SSLv3 read server hello A TLS certificate verification:
depth: 0, err: 20, subject:/CN=w2k3.windows2003.home,
issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate
verification: Error, unable to get local issuer certificateTLS certificate
verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home,
issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate
verification: Error, certificate not trusted TLS certificate verification:
depth: 0, err: 21, subject:/CN=w2k3.windows2003.home,
issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate
verification: Error, unable to verify the first certificateTLS trace:
SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3
read server certificate request A TLS trace: SSL_connect:SSLv3 read server
done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS
trace: SSL_connect:SSLv3 write client key exchange A TLS trace:
SSL_connect:SSLv3 write change cipher spec ATLS trace: SSL_connect:SSLv3
write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace:
SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad
certificate TLS: unable to get peer certificate. ldap_open_defconn:
successful ldap_send_server_request ldap_result ld 8065c58 msgid
1 ldap_chkResponseList ld 8065c58 msgid 1 all 1 ldap_chkResponseList
returns ld 8065c58 NULL wait4msg ld 8065c58 msgid 1 (infinite
timeout) wait4msg continue ld 8065c58 msgid 1 all 1 ** ld 8065c58
Connections: * host: w2k3.windows2003.home port: 636
(default) refcnt: 2 status: Connected last used: Tue
Jun 5 22:55:02 2007 ** ld 8065c58 Outstanding Requests: *
msgid 1, origid 1, status InProgress outstanding
referrals 0, parent count 0 ** ld 8065c58 Response Queue:
Empty
|