[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client App and STARTLS auth



Hello Rich,

responses inline..

On 06/13/2011 10:30 AM, Rich Megginson wrote:
[...]
LDAPTLS_REQCERT=never ldapsearch -x -d 1 -ZZ -H ldap://yourhost:yourport -s base -b "" >
output.log 2>&1

I executed the command.. and it worked. I attach the output. Any help on
how can I duplicate this behavior in my application ?

More specifically. When shall I set the option:

  int opt_val = LDAP_OPT_X_TLS_ALLOW;
  ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val)

Possibilities:
- At startup with ld == NULL ?
- Right after ldap_initialize(&ld, url) - i.e. before ldap_start_tls() ?
- Elsewhere ?

Last but not least: shall I use ALLOW, TRY, or NEVER as the option for REQUIRE_CERT ?

Cheers,
Max


--

http://member.acm.org/~openca/

Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
ldap_url_parse_ext(ldap://ldap.xxxxxxxxxxx:389)
ldap_create
ldap_url_parse_ext(ldap://ldap.xxxxxxxxxxx:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.xxxxxxxxxx:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:4830:1600:2f4::2 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 24.0.161.170:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x19ab320 msgid 1
wait4msg ld 0x19ab320 msgid 1 (infinite timeout)
wait4msg continue ld 0x19ab320 msgid 1 all 1
** ld 0x19ab320 Connections:
* host: ldap.xxxxxxxxxx  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jun 13 10:43:00 2011


** ld 0x19ab320 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x19ab320 request count 1 (abandoned 0)
** ld 0x19ab320 Response Queue:
   Empty
  ld 0x19ab320 response count 0
ldap_chkResponseList ld 0x19ab320 msgid 1 all 1
ldap_chkResponseList returns ld 0x19ab320 NULL
ldap_int_select
read1msg: ld 0x19ab320 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x19ab320 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x19ab320 0 new referrals
read1msg:  mark request completed, ld 0x19ab320 msgid 1
request done: ld 0x19ab320 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS certificate verification: Error, -8172: Unknown code ___f 20
TLS certificate verification: subject: E=dnsrecords@xxxxxxxxxx,CN=ldap.xxxxxxxxxx,OU=StartSSL Web-of-Trust Community Validated,O=xxxxxxxxxxxx,L=xxxxxxxxx,C=US,OID.2.5.4.13=345282-g7tntpk45jT3a1Kc, issuer: CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL, cipher: RC4, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x19ab320 msgid 2
wait4msg ld 0x19ab320 msgid 2 (infinite timeout)
wait4msg continue ld 0x19ab320 msgid 2 all 1
** ld 0x19ab320 Connections:
* host: ldap.xxxxxxxxxx  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jun 13 10:43:00 2011


** ld 0x19ab320 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x19ab320 request count 1 (abandoned 0)
** ld 0x19ab320 Response Queue:
   Empty
  ld 0x19ab320 response count 0
ldap_chkResponseList ld 0x19ab320 msgid 2 all 1
ldap_chkResponseList returns ld 0x19ab320 NULL
ldap_int_select
read1msg: ld 0x19ab320 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x19ab320 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x19ab320 0 new referrals
read1msg:  mark request completed, ld 0x19ab320 msgid 2
request done: ld 0x19ab320 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x19ab320 msgid -1
wait4msg ld 0x19ab320 msgid -1 (infinite timeout)
wait4msg continue ld 0x19ab320 msgid -1 all 0
** ld 0x19ab320 Connections:
* host: ldap.xxxxxxxxxx  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jun 13 10:43:00 2011


** ld 0x19ab320 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x19ab320 request count 1 (abandoned 0)
** ld 0x19ab320 Response Queue:
   Empty
  ld 0x19ab320 response count 0
ldap_chkResponseList ld 0x19ab320 msgid -1 all 0
ldap_chkResponseList returns ld 0x19ab320 NULL
ldap_int_select
read1msg: ld 0x19ab320 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x19ab320 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x19ab320 msgid -1
wait4msg ld 0x19ab320 msgid -1 (infinite timeout)
wait4msg continue ld 0x19ab320 msgid -1 all 0
** ld 0x19ab320 Connections:
* host: ldap.xxxxxxxxxx  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jun 13 10:43:00 2011


** ld 0x19ab320 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x19ab320 request count 1 (abandoned 0)
** ld 0x19ab320 Response Queue:
   Empty
  ld 0x19ab320 response count 0
ldap_chkResponseList ld 0x19ab320 msgid -1 all 0
ldap_chkResponseList returns ld 0x19ab320 NULL
ldap_int_select
read1msg: ld 0x19ab320 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x19ab320 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x19ab320 0 new referrals
read1msg:  mark request completed, ld 0x19ab320 msgid 3
request done: ld 0x19ab320 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature