[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: client error connecting using tls

To: Herb Lewis <hlewis@panasas.com>, openldap-technical@openldap.org
Subject: Re: client error connecting using tls
From: Howard Chu <hyc@symas.com>
Date: Fri, 11 Jul 2014 11:35:14 -0700
In-reply-to: <53C02749.1090001@panasas.com>
References: <53C02749.1090001@panasas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Herb Lewis wrote:

I have a program that connects to a secure ldap server by calling the
following
sequence of functions. (the ldap.conf has TLS_CACERT pointing to the
certificate
file and TLS_REQCERT demand set)


You're misusing certificates, first of all.


ldap_initialize
ldap_set_option  (to set various options such as LDAP_OPT_PROTOCOL_VERSION,
                             LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_RESTART,
                             LDAP_OPT_NETWORK_TIMEOUT)
ldap_start_tls_s
ldap_sasl_bind_s

This works correctly and I can do searches to this server.

Later I want to connect to a different secure server. I copy the new
certificate file
over the old file so ldap.conf remains the same except the URI entry is
updated to
the new server. I call ldap_unbind_ext_s on the current connection then
try to repeat
the above initialization sequence but it always fails.


This is expected.

If I restart the process I can connect to the second server first then
when I
try to connect to the first server that fails. I turned up debugging on
the server
and I see the error

Peer does not recognize and trust the CA that issued your certificate..

It seems like the client is remembering something and not allowing me to
change
to a different secure ldap server without killing the process and
starting over.
Is there something I am missing in cleaning up the first connection?

libldap only gets initialized once per process. Generally, libldap onlyinitializes the TLS settings once per process as well.

The TLS_CACERT setting is, as the name implies and as the documentationstates, for CA certificates. Not for server certificates. To authenticatemultiple servers you are expected to use a file containing the CA certificatesof all of the CAs that you trust, and the servers you connect to should haveserver certificates signed by one of those CAs.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- client error connecting using tls
  - From: Herb Lewis <hlewis@panasas.com>

Prev by Date: client error connecting using tls
Next by Date: Groups per host, same User pool
Index(es):
- Chronological
- Thread