Hi!
I'm wondering how one can force the usage of SSL (not STARTTLS) through
environment variables for OpenLDAP 2.3.x?
This is for a client application (FTP daemon run on a per-connection
basis) which does not accept LDAP URIs in its configuration, and an LDAP
server which does not support STARTTLS.
In 2.1.x, one could set LDAPTLS and LDAPTLS_CACERT to get this working. An
example using ldapsearch:
---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools# LDAPTLS=hard
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ldapsearch -h
ldapauth1.uu.se -p 636 -s sub -b
ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d
10 -L -L uid=bwiberg_hotel sn
ldap_init( ldapauth1.uu.se, 636 )
request 1 done
filter: uid=bwiberg_hotel
requesting: sn
version: 1
dn: uid=bwiberg_hotel,ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
sn: Wiberg
request 2 done
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
--->8---
...and if one did not set either one of those, one got:
---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ldapsearch -h
ldapauth1.uu.se -p 636 -s sub -b
ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d
10 -L -L uid=bwiberg_hotel sn ldap_init( ldapauth1.uu.se, 636 )
ldap_bind: Local error (82)
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools# LDAPTLS=hard
ldapsearch -h ldapauth1.uu.se -p 636 -s sub -b
ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v -d
10 -L -L uid=bwiberg_hotel sn
ldap_init( ldapauth1.uu.se, 636 )
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS: can't connect.
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--->8---
However, OpenLDAP 2.3.32 does not recognize LDAPTLS=hard any longer:
---8<---
root@spinus:/usr/local/src/openldap-2.3.32/clients/tools# LDAPTLS=hard
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -h
ldapauth1.uu.se -p 636 -s sub -b
ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v
-d 10 -L -L uid=bwiberg_hotel sn
ldap_initialize( ldap://ldapauth1.uu.se:636 )
(hexdump cut out)
ldap_read: want=8, got=5
0000: 80 03 00 00 01 .....
ldap_result: Local error (-2)
--->8---
Setting LDAPTLS_REQCERT=hard + LDAPTLS_CACERT, or even LDAPTLS=hard +
LDAPTLS_REQCERT=hard + LDAPTLS_CACERT, gives the same error. That is,
LDAPTLS_REQCERT=hard does not force SSL as LDAPTLS=hard once did.
Setting LDAPURI="ldaps://ldapauth1.uu.se:636/", not specifying a host name
and port number (-h, -p), and optionally skipping LDAPTLS or
LDAPTLS_REQCERT, works:
---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
LDAPURI="ldaps://ldapauth1.uu.se:636/"
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -s sub
-b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x
-v -d 20 -L -L uid=bwiberg_hotel sn
ldap_initialize( <DEFAULT> )
request 1 done
filter: uid=bwiberg_hotel
requesting: sn
version: 1
dn: uid=bwiberg_hotel,ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
sn: Wiberg
request 2 done
root@spinus:/usr/local/src/openldap-2.3.32/clients/tools#
LDAPURI="ldaps://ldapauth1.uu.se:636/"
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -s sub
-b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x
-v -L -L uid=bwiberg_hotel sn
ldap_initialize( <DEFAULT> )
filter: uid=bwiberg_hotel
requesting: sn
version: 1
dn: uid=bwiberg_hotel,ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
sn: Wiberg
--->8---
...but as soon as one adds -h and -p, ldapsearch and/or libldap ignores
LDAPURI and tries ldap:// instead of ldaps://. This is true both for
2.1.29 and 2.3.32:
---8<---
root@spinus:/usr/local/src/openldap-2.1.29/clients/tools#
LDAPURI="ldaps://ldapauth1.uu.se:636/"
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -h
ldapauth1.uu.se -p 636 -s sub -b
ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se -D cn=root -w SECRET -x -v
-d 20 -L -L uid=bwiberg_hotel sn
ldap_init( ldapauth1.uu.se, 636 )
ldap_bind: Local error (82)
root@spinus:/usr/local/src/openldap-2.3.32/clients/tools#
LDAPURI="ldaps://ldapauth1.uu.se:636/"
LDAPTLS_CACERT=/hotel/apache/etc/ssl/certs/pcacert.pem ./ldapsearch -s sub
-h ldapauth1.uu.se -p 636 -b ou=webUpdate-W2,ou=userRoleData,dc=uu,dc=se
-D cn=root -w SECRET -x -v -L -L uid=bwiberg_hotel sn
ldap_initialize( ldap://ldapauth1.uu.se:636 )
ldap_result: Local error (-2)
--->8---
...so "overriding" the specified hostname and port with a URI through
environment variables seems impossible.
Could anyone give some piece of advice on how to force SSL as in the older
versions, i.e. without LDAPURI or its -H ldapsearch counterpart?
As, sadly, my client application will always suggest a hostname and port
number to connect to, in its calls to libldap, and does not have the
ability to accept LDAP URIs in its configuration. The earlier environment
variable solution was an easy work-around, and I would have hoped that
this possibility would stay in future (> 2.1) versions...
Many thanks in advance!
Best regards,
Björn Wiberg
Uppsala University
IT Support Department