[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client test program connecting to LDAP server over SSL failed



On 09/01/2011 04:25 PM, daisy.wu@emc.com wrote:

Thank you so much, Rich, for your help.

 

Do you know if there are existing tools (perhaps already bundled with OpenSSL) that I can run to extract the CA certs to .pem files from /path/to/ldap_certdb?

certutil -d /path/to/ldap_certdb -L # list the certs
certutil -d /path/to/ldap_certdb -L -n "name of CA" -a > cacert.pem # extract named CA cert to pem file

Via OpenLDAP client, I’ve been able to connect to Microsoft Active Directory Server over SSL by setting this the CACERTFILE option, like this:

 

ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, cert_file); ß this works

 

However, I am still NOT able to accomplish the same by setting the CACERTDIR option

 

ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, cert_dir); ß this does NOT work

 

When option LDAP_OPT_X_TLS_CACERTDIR is used, I am getting this error:

 

slapd-search PID=7083: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

I am just wondering if OpenSSL looks for specific file names (or specific patterns of file names) under the cert_dir?

Yes.  See man openssl - also see if you have the c_hash or c_rehash command.

 

Here’s my test using openssl from command line to test SSL connectivity to Microsoft Active Directory Server over SSL.

 

Please note the highlighted texts.  This test was run on a Linux machine.

 

Note that if I specify -CAfile option, the connection was successful.

 

But if I use -CApath option, the connection would fail with error “Verify return code: 21 (unable to verify the first certificate)”.

 

Any input/feedback would be much appreciated.

 

Thanks.

 

Daisy

 

 

% pwd

/home/dmadmin/ldap_certdb

%

% ls -altr

total 12

drwx------  28 dmadmin dmadmin 4096 Sep  1 13:41 ../

-rw-r--r--   1 dmadmin dmadmin 1692 Sep  1 14:56 adrootca.pem

drwxr-xr-x   2 dmadmin dmadmin 4096 Sep  1 14:56 ./

%

 

################################################################

# asn1parse is to verify that openssl can parse the PEM file

################################################################

 

% openssl asn1parse -inform PEM -in ./adrootca.pem

    0:d=0  hl=4 l=1204 cons: SEQUENCE         

    4:d=1  hl=4 l= 924 cons: SEQUENCE          

    8:d=2  hl=2 l=   3 cons: cont [ 0 ]       

   10:d=3  hl=2 l=   1 prim: INTEGER           :02

   13:d=2  hl=2 l=  16 prim: INTEGER           :61DA1E03CCBF4A954385F1079D134B5E

   31:d=2  hl=2 l=  13 cons: SEQUENCE         

   33:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption

   44:d=3  hl=2 l=   0 prim: NULL             

   46:d=2  hl=2 l=  93 cons: SEQUENCE         

   48:d=3  hl=2 l=  19 cons: SET              

   50:d=4  hl=2 l=  17 cons: SEQUENCE          

   52:d=5  hl=2 l=  10 prim: OBJECT            :domainComponent

   64:d=5  hl=2 l=   3 prim: IA5STRING         :com

   69:d=3  hl=2 l=  24 cons: SET              

   71:d=4  hl=2 l=  22 cons: SEQUENCE         

   73:d=5  hl=2 l=  10 prim: OBJECT            :domainComponent

   85:d=5  hl=2 l=   8 prim: IA5STRING         :dctmlabs

   95:d=3  hl=2 l=  25 cons: SET              

   97:d=4  hl=2 l=  23 cons: SEQUENCE         

   99:d=5  hl=2 l=  10 prim: OBJECT            :domainComponent

  111:d=5  hl=2 l=   9 prim: IA5STRING         :adldap112

  122:d=3  hl=2 l=  17 cons: SET              

  124:d=4  hl=2 l=  15 cons: SEQUENCE         

  126:d=5  hl=2 l=   3 prim: OBJECT            :commonName

  131:d=5  hl=2 l=   8 prim: PRINTABLESTRING   :adrootca

  141:d=2  hl=2 l=  30 cons: SEQUENCE         

  143:d=3  hl=2 l=  13 prim: UTCTIME           :100914235940Z

  158:d=3  hl=2 l=  13 prim: UTCTIME           :150915000848Z

  173:d=2  hl=2 l=  93 cons: SEQUENCE         

  175:d=3  hl=2 l=  19 cons: SET               

  177:d=4  hl=2 l=  17 cons: SEQUENCE         

  179:d=5  hl=2 l=  10 prim: OBJECT            :domainComponent

  191:d=5  hl=2 l=   3 prim: IA5STRING         :com

  196:d=3  hl=2 l=  24 cons: SET              

  198:d=4  hl=2 l=  22 cons: SEQUENCE         

  200:d=5  hl=2 l=  10 prim: OBJECT            :domainComponent

  212:d=5  hl=2 l=   8 prim: IA5STRING         :dctmlabs

  222:d=3  hl=2 l=  25 cons: SET              

  224:d=4  hl=2 l=  23 cons: SEQUENCE          

  226:d=5  hl=2 l=  10 prim: OBJECT            :domainComponent

  238:d=5  hl=2 l=   9 prim: IA5STRING         :adldap112

  249:d=3  hl=2 l=  17 cons: SET              

  251:d=4  hl=2 l=  15 cons: SEQUENCE         

  253:d=5  hl=2 l=   3 prim: OBJECT            :commonName

  258:d=5  hl=2 l=   8 prim: PRINTABLESTRING   :adrootca

  268:d=2  hl=4 l= 290 cons: SEQUENCE         

  272:d=3  hl=2 l=  13 cons: SEQUENCE         

  274:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption

  285:d=4  hl=2 l=   0 prim: NULL             

  287:d=3  hl=4 l= 271 prim: BIT STRING       

  562:d=2  hl=4 l= 366 cons: cont [ 3 ]       

  566:d=3  hl=4 l= 362 cons: SEQUENCE         

  570:d=4  hl=2 l=  11 cons: SEQUENCE         

  572:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage

  577:d=5  hl=2 l=   4 prim: OCTET STRING     

  583:d=4  hl=2 l=  15 cons: SEQUENCE         

  585:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints

  590:d=5  hl=2 l=   1 prim: BOOLEAN           :255

  593:d=5  hl=2 l=   5 prim: OCTET STRING     

  600:d=4  hl=2 l=  29 cons: SEQUENCE         

  602:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier

  607:d=5  hl=2 l=  22 prim: OCTET STRING     

  631:d=4  hl=4 l= 279 cons: SEQUENCE         

  635:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points

  640:d=5  hl=4 l= 270 prim: OCTET STRING     

  914:d=4  hl=2 l=  16 cons: SEQUENCE         

  916:d=5  hl=2 l=   9 prim: OBJECT            :1.3.6.1.4.1.311.21.1

  927:d=5  hl=2 l=   3 prim: OCTET STRING     

  932:d=1  hl=2 l=  13 cons: SEQUENCE         

  934:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption

  945:d=2  hl=2 l=   0 prim: NULL             

  947:d=1  hl=4 l= 257 prim: BIT STRING       

%

% pwd

/home/dmadmin/ldap_certdb

%

% ls -altr

total 12

drwx------  28 dmadmin dmadmin 4096 Sep  1 13:41 ../

-rw-r--r--   1 dmadmin dmadmin 1692 Sep  1 14:56 adrootca.pem

drwxr-xr-x   2 dmadmin dmadmin 4096 Sep  1 14:56 ./

%

 

################################################################

# this is to show that we can connect to MS AD over SSL using

# -CAfile option

################################################################

 

% openssl s_client -CAfile /home/dmadmin/ldap_certdb/adrootca.pem -connect ldap112.adldap112.dctmlabs.com:636

CONNECTED(00000003)

depth=1 /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

verify return:1

depth=0 /CN=Ldap112.adldap112.dctmlabs.com

verify return:1

---

Certificate chain

0 s:/CN=Ldap112.adldap112.dctmlabs.com

   i:/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGDjCCBPagAwIBAgIKYQK0zwAAAAAAAjANBgkqhkiG9w0BAQUFADBdMRMwEQYK

CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZGN0bWxhYnMxGTAXBgoJ

kiaJk/IsZAEZFglhZGxkYXAxMTIxETAPBgNVBAMTCGFkcm9vdGNhMB4XDTEwMDkx

NTAwMDYxM1oXDTExMDkxNTAwMDYxM1owKTEnMCUGA1UEAxMeTGRhcDExMi5hZGxk

YXAxMTIuZGN0bWxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP

Cegjeu/QvyTVawtFHKG28fLIKCBIK3dDWvhu+FqWRfR3L501iveTvfwT4AlR81QN

PImgg3btl5Z0LmN5Z/sccsQAPNEcgDNNP3Zv5G6AXx4Gpo7xhtr8YnYDoPGAzBGm

vXlb1TEA8fdrNwqY6Mf5PxwKKDc80Y3EFQaefUhnpwIDAQABo4IDhjCCA4IwCwYD

VR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqG

SIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUR2vcMrg6

VIc9GWdVhcJQ6RMK6z8wLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8A

bgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFAjwh8G60+A+gE5OmKRW48UVixJT

MIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aBvWxkYXA6Ly8vQ049YWRyb290

Y2EsQ049TGRhcDExMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs

Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0

bWxhYnMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl

Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2xkYXAxMTIuYWRs

ZGFwMTEyLmRjdG1sYWJzLmNvbS9DZXJ0RW5yb2xsL2Fkcm9vdGNhLmNybDCCATQG

CCsGAQUFBwEBBIIBJjCCASIwgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1hZHJv

b3RjYSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj

ZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0bWxhYnMsREM9

Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u

QXV0aG9yaXR5MGgGCCsGAQUFBzAChlxodHRwOi8vbGRhcDExMi5hZGxkYXAxMTIu

ZGN0bWxhYnMuY29tL0NlcnRFbnJvbGwvTGRhcDExMi5hZGxkYXAxMTIuZGN0bWxh

YnMuY29tX2Fkcm9vdGNhLmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH

AwEwSgYDVR0RBEMwQaAfBgkrBgEEAYI3GQGgEgQQIKbIE/h5Z0O8me1tD3x+PYIe

TGRhcDExMi5hZGxkYXAxMTIuZGN0bWxhYnMuY29tMA0GCSqGSIb3DQEBBQUAA4IB

AQA5oCkrV1fXoH+4yuWnifXnsOKVx8hKKBmzG6CJN4xld06HoyYgYvN9xLtJ1k44

3QSddouNNmvh3ciC2nwjpBQMG3L1kWhyFvgNqmF3nYxZT7HVM8/6ZramuPEd+rP/

YiQdK9udHbshQ1H6Q0I4LvXOJ4RutWALmDP0SZVJNhZrMRx01beTC1lvL7ZeTxlj

VqEl1eGKUbdvYSO2AdRFrDa8wbPxvyLQimoEzpkOQ8K4oQmw4RPOESExZFlZMcrA

eTahGzk0nV4q6faqqHF+0zkNUGR3F2QUmP6sngRT24cA4JMGNd9ElpvP6R/dPP/X

X30TPzHjRFWW7H6QlMzHCaGw

-----END CERTIFICATE-----

subject=/CN=Ldap112.adldap112.dctmlabs.com

issuer=/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

---

Acceptable client certificate CA names

/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com

/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority

---

SSL handshake has read 4876 bytes and written 336 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-MD5

    Session-ID: 241B0000644FB22AA0610F736E0E6F004526943A9F0935F16BDBC9FBB1F07113

    Session-ID-ctx:

    Master-Key: 8179FE65F974D286ED8550213CD8F2ED382CC62BBC03C1C50173E78CC6A6C322273882477FAE62546BC3145978C1F4DD

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1314914412

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

 

read:errno=0

%

% pwd

/home/dmadmin/ldap_certdb

%

% ls -altr

total 12

drwx------  28 dmadmin dmadmin 4096 Sep  1 13:41 ../

-rw-r--r--   1 dmadmin dmadmin 1692 Sep  1 14:56 adrootca.pem

drwxr-xr-x   2 dmadmin dmadmin 4096 Sep  1 14:56 ./

%

 

################################################################

# however, using –CApath option to connect to MS AD over SSL would

# result in failure

################################################################

 

% openssl s_client -CApath /home/dmadmin/ldap_certdb -connect ldap112.adldap112.dctmlabs.com:636

CONNECTED(00000003)

depth=0 /CN=Ldap112.adldap112.dctmlabs.com

verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com

verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com

verify error:num=21:unable to verify the first certificate verify return:1

---

Certificate chain

0 s:/CN=Ldap112.adldap112.dctmlabs.com

   i:/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGDjCCBPagAwIBAgIKYQK0zwAAAAAAAjANBgkqhkiG9w0BAQUFADBdMRMwEQYK

CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZGN0bWxhYnMxGTAXBgoJ

kiaJk/IsZAEZFglhZGxkYXAxMTIxETAPBgNVBAMTCGFkcm9vdGNhMB4XDTEwMDkx

NTAwMDYxM1oXDTExMDkxNTAwMDYxM1owKTEnMCUGA1UEAxMeTGRhcDExMi5hZGxk

YXAxMTIuZGN0bWxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP

Cegjeu/QvyTVawtFHKG28fLIKCBIK3dDWvhu+FqWRfR3L501iveTvfwT4AlR81QN

PImgg3btl5Z0LmN5Z/sccsQAPNEcgDNNP3Zv5G6AXx4Gpo7xhtr8YnYDoPGAzBGm

vXlb1TEA8fdrNwqY6Mf5PxwKKDc80Y3EFQaefUhnpwIDAQABo4IDhjCCA4IwCwYD

VR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqG

SIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUR2vcMrg6

VIc9GWdVhcJQ6RMK6z8wLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8A

bgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFAjwh8G60+A+gE5OmKRW48UVixJT

MIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aBvWxkYXA6Ly8vQ049YWRyb290

Y2EsQ049TGRhcDExMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs

Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0

bWxhYnMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl

Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2xkYXAxMTIuYWRs

ZGFwMTEyLmRjdG1sYWJzLmNvbS9DZXJ0RW5yb2xsL2Fkcm9vdGNhLmNybDCCATQG

CCsGAQUFBwEBBIIBJjCCASIwgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1hZHJv

b3RjYSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj

ZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0bWxhYnMsREM9

Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u

QXV0aG9yaXR5MGgGCCsGAQUFBzAChlxodHRwOi8vbGRhcDExMi5hZGxkYXAxMTIu

ZGN0bWxhYnMuY29tL0NlcnRFbnJvbGwvTGRhcDExMi5hZGxkYXAxMTIuZGN0bWxh

YnMuY29tX2Fkcm9vdGNhLmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH

AwEwSgYDVR0RBEMwQaAfBgkrBgEEAYI3GQGgEgQQIKbIE/h5Z0O8me1tD3x+PYIe

TGRhcDExMi5hZGxkYXAxMTIuZGN0bWxhYnMuY29tMA0GCSqGSIb3DQEBBQUAA4IB

AQA5oCkrV1fXoH+4yuWnifXnsOKVx8hKKBmzG6CJN4xld06HoyYgYvN9xLtJ1k44

3QSddouNNmvh3ciC2nwjpBQMG3L1kWhyFvgNqmF3nYxZT7HVM8/6ZramuPEd+rP/

YiQdK9udHbshQ1H6Q0I4LvXOJ4RutWALmDP0SZVJNhZrMRx01beTC1lvL7ZeTxlj

VqEl1eGKUbdvYSO2AdRFrDa8wbPxvyLQimoEzpkOQ8K4oQmw4RPOESExZFlZMcrA

eTahGzk0nV4q6faqqHF+0zkNUGR3F2QUmP6sngRT24cA4JMGNd9ElpvP6R/dPP/X

X30TPzHjRFWW7H6QlMzHCaGw

-----END CERTIFICATE-----

subject=/CN=Ldap112.adldap112.dctmlabs.com

issuer=/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

---

Acceptable client certificate CA names

/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com

/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca

/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority

---

SSL handshake has read 4876 bytes and written 336 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-MD5

    Session-ID: BF23000064323B11B2099A50A14680DE060F074784C443841FB5403C7C3D98EA

    Session-ID-ctx:

    Master-Key: D81EF5A0B204DB8E5DDAED7EF38170920787D13B45245EF7C4CD199A61F44745F72EF7EAFCD8DDFF241843253A64708B

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1314914477

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

 

read:errno=0

%

%

 

 

 

 

 

From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Wednesday, August 31, 2011 7:31 AM
To: Wu, Daisy
Cc: richm@stanfordalumni.org; openldap-technical@openldap.org; openldap-devel-request@openldap.org
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL failed

 

On 08/31/2011 08:23 AM, daisy.wu@emc.com wrote:

Thank you Rich.

 

extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using the cert/key db.


Do you know if there are existing tools (perhaps already bundled with OpenSSL) that I can run to extract the CA certs to .pem files from /path/to/ldap_certdb?

certutil -d /path/to/ldap_certdb -L # list the certs
certutil -d /path/to/ldap_certdb -L -n "name of CA" -a > cacert.pem # extract named CA cert to pem file

 

Thanks in advance.

 

Daisy

 

 

From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Wednesday, August 31, 2011 6:14 AM
To: Wu, Daisy
Cc: richm@stanfordalumni.org; openldap-technical@openldap.org; openldap-devel-request@openldap.org
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL failed

 

On 08/30/2011 11:26 PM, daisy.wu@emc.com wrote:

Thank you so much, Rich, for your reply.

 

In this call

 

        char *cert_path="/path/to/ldap_certdb";

        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",

                cert_path, rc, ldap_err2string(rc));

 

 

/path/to/ldap_certdb is actually a directory, the files under it are like this:

 

% ls –altr /path/to/ldap_certdb

total 56

-rw-r--r--   1 dmadmin dmadmin 16384 Sep 14  2010 secmod.db

-rw-r--r--   1 dmadmin dmadmin 16384 Sep 14  2010 key3.db

-rw-r--r--   1 dmadmin dmadmin 16384 Sep 14  2010 cert7.db

drwx------  27 dmadmin dmadmin  4096 Aug 30 22:14 ../

drwxr-xr-x   2 dmadmin dmadmin  4096 Aug 30 22:14 ./

%

 

 

My simple test program (for testing LDAP SSL connection to AD server) using Mozilla LDAP C-SDK looks something like this (this test program works, connecting to AD over SSL works fine):

Right.  The reason it works fine is because mozldap uses moznss for crypto - you are using a build of openldap that uses openssl for crypto.  You will need to either rebuild openldap to use moznss for crypto, or extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using the cert/key db.


 

   if (ldapssl_client_init("/path/to/ldap_certdb", NULL ) < 0)

   {

     perror("ldapssl_client_init");

     return 1;

   }

 

    ld = ldapssl_init( host, port, 1);

    if ( ld == NULL )

    {

      perror("ldapssl_init");

      return 1;

    }

 

    if ((rc = ldap_simple_bind_s( ld, bind_dn, bind_password)) != LDAP_SUCCESS)

    {

      ldap_perror(ld, "ldap_simple_bind_s");

      return 1;

    }

 

However, the following equivalent code using OpenLDAP (built with RSA Share Adpator and RSA MES) does not work.  It failed with error “ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”

 

        ldap_initialize( &ld, uri );

        if ( ld == NULL ) {

                tester_perror( "ldap_initialize", NULL );

                exit( EXIT_FAILURE );

        }

 

        rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );

        printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n",

                version, rc, ldap_err2string(rc));

 

        rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,

                chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );

        printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",

                chaserefs, rc, ldap_err2string(rc));

 

        int debug_flag1 = -1; // LDAP_DEBUG_ANY ;

        rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);

        printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n",

                debug_flag1, rc, ldap_err2string(rc));

 

        char *cert_path="/path/to/ldap_certdb"; // this is directory

        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",

                cert_path, rc, ldap_err2string(rc));

 

        int reqcert = LDAP_OPT_X_TLS_ALLOW;

        rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n",

                 reqcert, rc, ldap_err2string(rc));

 

         rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );

         if ( rc != LDAP_SUCCESS ) {

           tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );

           switch ( rc ) {

             case LDAP_BUSY:

             case LDAP_UNAVAILABLE:

               /* fallthru */

             default:

               break;

           }

           exit( EXIT_FAILURE );

         }

 

 

 

From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Tuesday, August 30, 2011 6:27 PM
To: Wu, Daisy
Cc: openldap-technical@openldap.org; openldap-devel-request@openldap.org
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL failed

 

On 08/30/2011 07:09 PM, daisy.wu@emc.com wrote:

I am trying to write a simple client test program using OpenLDAP client API to connect to Microsoft Active Directory Server over SSL.

 

Below is code snippet.  The program failed to connect.

 

It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

I know there’s no problem with LDAP certificate store /path/to/ldap_certdb because a simple LDAP client test program written in Mozilla LDAP C-SDK worked fine connecting to this same AD server, over SSL.

 

I need to know if I am using the correct OpenLDAP client API calls.

Yes, but it looks like you are using OpenLDAP built with openssl, not Mozilla NSS.  If your OpenLDAP is provided by some vendor, and you cannot change/rebuild with moznss support, you'll have to export the CA certificate(s) from the /path/to/ldap_certdb and pass them to OpenLDAP with either a single file and LDAP_OPT_X_TLS_CACERTFILE or an openssl style ca cert dir with LDAP_OPT_X_TLS_CACERTDIR.

 

Any input would be much appreciated. 

 

Thanks.

 

Source Code:

 

        ldap_initialize( &ld, uri );

        if ( ld == NULL ) {

                tester_perror( "ldap_initialize", NULL );

                exit( EXIT_FAILURE );

        }

 

        rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );

        printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n",

                version, rc, ldap_err2string(rc));

 

        rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,

                chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );

        printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",

                chaserefs, rc, ldap_err2string(rc));

 

        int debug_flag1 = -1; // LDAP_DEBUG_ANY ;

        rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);

        printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n",

                debug_flag1, rc, ldap_err2string(rc));

 

        char *cert_path="/path/to/ldap_certdb";

        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",

                cert_path, rc, ldap_err2string(rc));

 

        int reqcert = LDAP_OPT_X_TLS_ALLOW;

        rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n",

                 reqcert, rc, ldap_err2string(rc));

 

         rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );

         if ( rc != LDAP_SUCCESS ) {

           tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );

           switch ( rc ) {

             case LDAP_BUSY:

             case LDAP_UNAVAILABLE:

               /* fallthru */

             default:

               break;

           }

           exit( EXIT_FAILURE );

         }

 

 

Here’s program output:

 

rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, /path/to/ldap_certdb)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success

PID=4781 - Search(2): base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com", filter="cn=aduser2*" attr="cn".

slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

 

From: Wu, Daisy
Sent: Friday, August 26, 2011 4:53 PM
To: openldap-technical@openldap.org; 'openldap-devel-request@openldap.org'
Subject: Need sample OpenLDAP client test program connecting to LDAP server over SSL

 

Hi, OpenLDAP developers,

 

Do you have any sample test programs (or code snippets) that uses OpenLDAP client API to connect to LDAP server over SSL?

 

Thanks in advance.

 

Daisy