Howard,
I use OpenSuse 10.2 with libldap-2.3.so.0.2.15 and if I have an empty ~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error while setting start_tls for ldap server: Connect error(-11) ldap_free_connection 1 1 ldap_send_unbind When I add tls_reqcert allow to ~/.ldaprc I get ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. Successfully set up TLS protected connection to ldap server w2k3.windows2003.home:389 So, this setting definitely does something !! Regards Markus ----- Original Message ----- From: "Howard Chu" <hyc@symas.com> Newsgroups: gmane.network.openldap.general To: "Markus Moeller" <huaraz@moeller.plus.com> Cc: <openldap-software@openldap.org> Sent: Tuesday, June 19, 2007 12:33 AM Subject: Re: Question about ldap_init, ldap_initialize, start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL > Markus Moeller wrote: >> But it is allowed to be set in ldap.conf, > > That doesn't necessarily mean anything. Lots of things can be set in > ldap.conf that don't mean anything at all, since the parser ignores any > keywords it doesn't recognize. > > What evidence do you have that this particular setting actually does > anything? A quick scan of the source code proves that it actually does > nothing. > >> so why can't or shouldn't I be able to set it in my client without the >> pain of checking all the different config files ldap.conf, .ldaprc, >> ldaprc ... I'd like to be able to control my client options without the >> use of config files. > > Go ahead and do that then. But don't waste time with options that don't > actually have any meaning. >> >> Regards >> Markus >> >> ----- Original Message ----- >> From: "Howard Chu" <hyc@symas.com> >> To: "Markus Moeller" <huaraz@moeller.plus.com> >> Cc: <openldap-software@openldap.org> >> Sent: Tuesday, June 19, 2007 12:01 AM >> Subject: Re: Question about ldap_init, ldap_initialize, start_tls, >> LDAP_OPT_X_TLS_ALLOW and TLS/SSL >> >> >>> Markus Moeller wrote: >>>> Does anybody have some sample code of how to use LDAP_OPT_X_TLS_ALLOW >>>> in a client program with ldap_start_tls_s ? >>>> Is it a bug if it doesn't work ? >>> The LDAP_OPT_X_TLS option is incompatible with ldap_start_tls. You >>> cannot use both together. In general, the LDAP_OPT_X_TLS option is >>> deprecated and should not be used at all. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > |