----- Original Message -----
Sent: Friday, June 08, 2007 11:00
PM
Subject: [-SPAM-] Question about
ldap_init, ldap_initialize, start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL
I am new to
Openldap and TLS/SSL. I have two small
test programs (see details
below). The first uses ldap_init the second
ldap_initalize. My observation
is:
1) Using ldap_init, ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW
(empty
ldap.conf)
It does not connect on port 389 nor
636
2) Using ldap_init,ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW
(emprty
ldap.conf and only TLS_REQCERT ALL in ldaprc)
It does not connect on port 636 but it does on port 389
3) Using
ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty
ldap.conf)
It does not connect on port 389 nor
636
4) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty
ldap.conf and
only TLS_REQCERT ALL in
ldaprc)
It does not connect on
port 389 but it does on port 636
My first question is why
does
val = LDAP_OPT_X_TLS_ALLOW;
ldap_set_option (ld,
LDAP_OPT_X_TLS, &val);
not work ?
Secondly why behaves
ldap_init different to ldap_initialize ?
Thirdly what do I need to do
to be able to use TLS/SSL on either port 389
or
636 ?
Thank
you
Markus
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ldap_debug
= -1 /*LDAP_DEBUG_ANY */ ;
(void) ldap_set_option(NULL,
LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
if (strstr(argv[1],"://") )
{
hostname=strstr(argv[1],"://")+3;
ssl=strstr(argv[1],"ldaps://");
host=strdup(hostname);
port=389;
if ((p=strchr(host,':')))
{
*p='\0';
p++;
port=atoi(p);
}
}
ld = (LDAP *)ldap_init(host,port);
val =
LDAP_VERSION3;
(void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&val);
(void)ldap_set_option(ld, LDAP_OPT_REFERRALS ,
LDAP_OPT_ON);
ldap_start_tls_s(ld, NULL, NULL);
val =
LDAP_OPT_X_TLS_ALLOW;
ldap_set_option (ld, LDAP_OPT_X_TLS,
&val);
.
.
.
./ldap_test ldaps://w2k3.windows2003.home:636
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP
w2k3.windows2003.home:636
ldap_new_socket: 4
ldap_prepare_socket:
4
ldap_connect_to_host: Trying 192.168.1.5:636
ldap_connect_timeout: fd:
4 tm: -1 async: 0
ldap_open_defconn:
successful
ldap_send_server_request
ldap_result ld 8065c90 msgid
1
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList
returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 1 (infinite
timeout)
wait4msg continue ld 8065c90 msgid 1 all 1
** ld 8065c90
Connections:
* host: w2k3.windows2003.home port: 636
(default)
refcnt: 2 status: Connected
last used: Tue
Jun 5 23:02:11 2007
** ld 8065c90 Outstanding
Requests:
* msgid 1, origid 1, status
InProgress
outstanding referrals 0, parent count 0
** ld
8065c90 Response Queue:
Empty
ldap_chkResponseList ld
8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90
NULL
ldap_int_select
read1msg: ld 8065c90 msgid 1 all 1
ber_get_next
failed.
ldap_err2string
ldap_test Error while setting start_tls for ldap
server: Can't contact
LDAPserver
ldap_free_request (origid 1, msgid
1)ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection:
actually freed
./ldap_test ldaps://w2k3.windows2003.home:389
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd
ldap_createldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_requestldap_new_connection
1 1 0
ldap_int_open_connectionldap_connect_to_host:
TCP
w2k3.windows2003.home:389
ldap_new_socket: 4
ldap_prepare_socket:
4
ldap_connect_to_host: Trying 192.168.1.5:389
ldap_connect_timeout: fd:
4 tm: -1 async: 0
ldap_open_defconn:
successful
ldap_send_server_request
ldap_result ld 8065c90 msgid
1
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList
returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 1 (infinite
timeout)
wait4msg continue ld 8065c90 msgid 1 all 1
** ld 8065c90
Connections:
* host: w2k3.windows2003.home port: 389
(default)
refcnt: 2 status: Connected
last used: Tue
Jun 5 23:00:34 2007
** ld 8065c90 Outstanding Requests:
*
msgid 1, origid 1, status InProgress
outstanding
referrals 0, parent count 0
** ld 8065c90 Response Queue:
Empty
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList
returns ld 8065c90 NULL
ldap_int_select
read1msg: ld 8065c90 msgid 1 all
1
read1msg: ld 8065c90 msgid 1 message type extended-result
new
result: res_errno: 0, res_error: <>, res_matched:
<>
read1msg: ld 8065c90 0 new referrals
read1msg: mark
request completed, ld 8065c90 msgid 1
request done: ld 8065c90 msgid
1
res_errno: 0, res_error: <>, res_matched:
<>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0
1
ldap_free_connection: refcnt
1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS
trace: SSL_connect:before/connect initialization
TLS trace:
SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read
server hello A
TLS certificate verification: depth: 0, err:
20,
subject:/CN=w2k3.windows2003.home,
issuer:/DC=home/DC=windows2003/CN=Windows2003CA
TLS
certificate verification: Error, unable to get local
issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS
trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace:
SSL_connect:error in SSLv3 read server certificate B
TLS: can't
connect.
ldap_err2string
ldap_free_connection 1
1
ldap_send_unbind
ldap_free_connection: actually freed
With
~/.ldaprc
TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:389
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd
ldap_createldap_extended_operation_sldap_extended_operationldap_send_initial_requestldap_new_connection
1
1 0ldap_int_o
pen_connection
ldap_connect_to_host: TCP
w2k3.windows2003.home:389
ldap_new_socket: 4ldap_prepare_socket:
4
ldap_connect_to_host: Trying 192.168.1.5:389
ldap_connect_timeout: fd:
4 tm: -1 async: 0ldap_open_defconn:
successful
ldap_send_server_request
ldap_result ld 8065c90 msgid
1
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList
returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 1 (infinite
timeout)
wait4msg continue ld 8065c90 msgid 1 all 1
** ld 8065c90
Connections:
* host: w2k3.windows2003.home port: 389
(default)
refcnt: 2 status: Connected
last used: Tue
Jun 5 23:04:26 2007
** ld 8065c90 Outstanding Requests:
*
msgid 1, origid 1, status InProgress
outstanding
referrals 0, parent count 0
** ld 8065c90 Response Queue:
Empty
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList
returns ld 8065c90 NULL
ldap_int_select
read1msg: ld 8065c90 msgid 1 all
1
read1msg: ld 8065c90 msgid 1 message type extended-result
new
result: res_errno: 0, res_error: <>, res_matched:
<>
read1msg: ld 8065c90 0 new referrals
read1msg: mark
request completed, ld 8065c90 msgid 1
request done: ld 8065c90 msgid
1res_errno: 0, res_error: <>,
res_matched:
<>
ldap_free_request (origid 1, msgid
1)
ldap_free_connection 0 1
ldap_free_connection: refcnt
1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS
trace: SSL_connect:before/connect initialization
TLS trace:
SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read
server hello A
TLS certificate verification: depth: 0, err:
20,
subject:/CN=w2k3.windows2003.home,
issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate
verification: Error, unable to get local issuer
certificateTLS certificate
verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home,
issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate
verification: Error, certificate not trusted
TLS certificate verification:
depth: 0, err: 21,
subject:/CN=w2k3.windows2003.home,
issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate
verification: Error, unable to verify the first
certificate
TLS trace:
SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3
read server certificate request A
TLS trace: SSL_connect:SSLv3 read server
done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS
trace: SSL_connect:SSLv3 write client key exchange A
TLS trace:
SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3
write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace:
SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad
certificate
TLS: unable to get peer
ertificate.
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result
ld 8065c90 msgid 2
ldap_chkResponseList ld 8065c90 msgid 2 all
1
ldap_chkResponseList returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid
2 (infinite timeout)
wait4msg continue ld 8065c90 msgid 2 all 1
** ld
8065c90 Connections:
* host: w2k3.windows2003.home port: 389
(default)
refcnt: 2 status: Connected
last used: Tue
Jun 5 23:04:26 2007
** ld 8065c90 Outstanding Requests:
* msgid
2, origid 2, status InProgress
outstanding referrals 0,
parent count 0
** ld 8065c90 Response Queue:
Empty
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ldap_debug = -1 /*LDAP_DEBUG_ANY */ ;
(void) ldap_set_option(NULL,
LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
ldap_initialize(ld,argv[1]);
val = LDAP_VERSION3;
(void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val);
(void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON);
val =
LDAP_OPT_X_TLS_ALLOW;
ldap_set_option (ld,LDAP_OPT_X_TLS,
&val);
.
.
.
./ldap_test ldaps://w2k3.windows2003.home:636
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd
ldap_create
ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636)
ldap_err2string
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP
w2k3.windows2003.home:636
ldap_new_socket: 4
ldap_prepare_socket:
4
ldap_connect_to_host: Trying 192.168.1.5:636
ldap_connect_timeout: fd:
4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect
initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS
trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification:
depth: 0, err:
20,
subject:/CN=w2k3.windows2003.home,
issuer:/DC=home/DC=windows2003/CN=Windows2003CA
TLS
certificate verification: Error, unable to get local
issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS
trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace:
SSL_connect:error in SSLv3 read server certificate B
TLS: can't
connect.
ldap_err2string Can'tcontact LDAP server
./ldap_test
ldaps://w2k3.windows2003.home:389
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd
ldap_create
ldap_url_parse_ext(ldaps://w2k3.windows2003.home:389)
ldap_err2string
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP
w2k3.windows2003.home:389
ldap_new_socket: 4
ldap_prepare_socket:
4
ldap_connect_to_host: Trying 192.168.1.5:389
ldap_connect_timeout: fd:
4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect
initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS:
can't connect.
ldap_err2string Can'tcontact LDAP server
With
~/.ldaprc
TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:636
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME"
Passwd
ldap_create
ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636)
ldap_err2string
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP
w2k3.windows2003.home:636
ldap_new_socket: 4
ldap_prepare_socket:
4
ldap_connect_to_host: Trying 192.168.1.5:636
ldap_connect_timeout: fd:
4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect
initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS
trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification:
depth: 0, err: 20,
subject:/CN=w2k3.windows2003.home,
issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate
verification: Error, unable to get local issuer
certificateTLS certificate
verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home,
issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate
verification: Error, certificate not trusted
TLS certificate verification:
depth: 0, err: 21,
subject:/CN=w2k3.windows2003.home,
issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate
verification: Error, unable to verify the first
certificateTLS trace:
SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3
read server certificate request A
TLS trace: SSL_connect:SSLv3 read server
done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS
trace: SSL_connect:SSLv3 write client key exchange A
TLS trace:
SSL_connect:SSLv3 write change cipher spec ATLS trace:
SSL_connect:SSLv3
write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace:
SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad
certificate
TLS: unable to get peer certificate.
ldap_open_defconn:
successful
ldap_send_server_request
ldap_result ld 8065c58 msgid
1
ldap_chkResponseList ld 8065c58 msgid 1 all 1
ldap_chkResponseList
returns ld 8065c58 NULL
wait4msg ld 8065c58 msgid 1 (infinite
timeout)
wait4msg continue ld 8065c58 msgid 1 all 1
** ld 8065c58
Connections:
* host: w2k3.windows2003.home port: 636
(default)
refcnt: 2 status: Connected
last used: Tue
Jun 5 22:55:02 2007
** ld 8065c58 Outstanding Requests:
*
msgid 1, origid 1, status InProgress
outstanding
referrals 0, parent count 0
** ld 8065c58 Response Queue:
Empty