Does anybody have some sample code of how to use LDAP_OPT_X_TLS_ALLOW in a client program with ldap_start_tls_s ?
Is it a bug if it doesn't work ?
Thank you Markus ----- Original Message ----- From: Markus Moeller To: openldap-software@openldap.org Sent: Friday, June 08, 2007 11:00 PM Subject: [-SPAM-] Question about ldap_init, ldap_initialize, start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL
I am new to Openldap and TLS/SSL. I have two small test programs (see details below). The first uses ldap_init the second ldap_initalize. My observation is:
1) Using ldap_init, ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf) It does not connect on port 389 nor 636
2) Using ldap_init,ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW (emprty ldap.conf and only TLS_REQCERT ALL in ldaprc) It does not connect on port 636 but it does on port 389
3) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf) It does not connect on port 389 nor 636
4) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf and
only TLS_REQCERT ALL in ldaprc) It does not connect on port 389 but it does on port 636
My first question is why does
val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val);
not work ?
Secondly why behaves ldap_init different to ldap_initialize ?
Thirdly what do I need to do to be able to use TLS/SSL on either port 389 or 636 ?
Thank you Markus
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ldap_debug = -1 /*LDAP_DEBUG_ANY */ ; (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
if (strstr(argv[1],"://") ) { hostname=strstr(argv[1],"://")+3; ssl=strstr(argv[1],"ldaps://"); host=strdup(hostname); port=389; if ((p=strchr(host,':'))) { *p='\0'; p++; port=atoi(p); } } ld = (LDAP *)ldap_init(host,port); val = LDAP_VERSION3; (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val); (void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); ldap_start_tls_s(ld, NULL, NULL); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val); . . .
./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c90 msgid 1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 636 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:02:11 2007
** ld 8065c90 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 ber_get_next failed. ldap_err2string ldap_test Error while setting start_tls for ldap server: Can't contact LDAPserver ldap_free_request (origid 1, msgid 1)ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed
./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_createldap_extended_operation_s ldap_extended_operation ldap_send_initial_requestldap_new_connection 1 1 0 ldap_int_open_connectionldap_connect_to_host: TCP w2k3.windows2003.home:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c90 msgid 1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:00:34 2007 ** ld 8065c90 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 read1msg: ld 8065c90 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 8065c90 0 new referrals read1msg: mark request completed, ld 8065c90 msgid 1 request done: ld 8065c90 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer:/DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed
With ~/.ldaprc
TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_createldap_extended_operation_sldap_extended_operationldap_send_initial_requestldap_new_connection 1 1 0ldap_int_o pen_connection ldap_connect_to_host: TCP w2k3.windows2003.home:389 ldap_new_socket: 4ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c90 msgid 1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:04:26 2007
** ld 8065c90 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 read1msg: ld 8065c90 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 8065c90 0 new referrals read1msg: mark request completed, ld 8065c90 msgid 1 request done: ld 8065c90 msgid 1res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificateTLS certificate verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer ertificate. ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ldap_result ld 8065c90 msgid 2 ldap_chkResponseList ld 8065c90 msgid 2 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 2 (infinite timeout) wait4msg continue ld 8065c90 msgid 2 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:04:26 2007 ** ld 8065c90 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ldap_debug = -1 /*LDAP_DEBUG_ANY */ ; (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); ldap_initialize(ld,argv[1]); val = LDAP_VERSION3; (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val); (void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld,LDAP_OPT_X_TLS, &val); . . .
./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer:/DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Can'tcontact LDAP server
./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:389) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS: can't connect. ldap_err2string Can'tcontact LDAP server
With ~/.ldaprc TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificateTLS certificate verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificateTLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec ATLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c58 msgid 1 ldap_chkResponseList ld 8065c58 msgid 1 all 1 ldap_chkResponseList returns ld 8065c58 NULL wait4msg ld 8065c58 msgid 1 (infinite timeout) wait4msg continue ld 8065c58 msgid 1 all 1 ** ld 8065c58 Connections: * host: w2k3.windows2003.home port: 636 (default) refcnt: 2 status: Connected last used: Tue Jun 5 22:55:02 2007 ** ld 8065c58 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c58 Response Queue: Empty