Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL - openldap-software

9 Jun 2007


      I am new to Openldap and TLS/SSL.  I have two small
test programs (see details below). The first uses ldap_init the second
ldap_initalize. My observation is:
1) Using ldap_init, ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW (empty
ldap.conf)
    It does not connect on port 389 nor 636
2) Using ldap_init,ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW (emprty
ldap.conf and only TLS_REQCERT ALL in ldaprc)
    It does not connect on port 636 but it does on port 389
3) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf)
    It does not connect on port 389 nor 636
4) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf and
only TLS_REQCERT ALL in ldaprc)
        It does not connect on port 389 but it does on port 636
My first question is why does
val = LDAP_OPT_X_TLS_ALLOW;
  ldap_set_option (ld, LDAP_OPT_X_TLS, &val);
not work ?
Secondly why behaves ldap_init different to ldap_initialize ?
Thirdly what do I need to do to be able to use TLS/SSL on either port 389
or
636 ?
Thank you
Markus
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ldap_debug = -1 /*LDAP_DEBUG_ANY */ ;
(void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
if (strstr(argv[1],"://") ) {
  hostname=strstr(argv[1],"://")+3;
  ssl=strstr(argv[1],"ldaps://");
  host=strdup(hostname);
  port=389;
  if ((p=strchr(host,':'))) {
      *p='\0';
     p++;
     port=atoi(p);
    }
  }
  ld = (LDAP *)ldap_init(host,port);
  val = LDAP_VERSION3;
  (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val);
  (void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON);
  ldap_start_tls_s(ld, NULL, NULL);
  val = LDAP_OPT_X_TLS_ALLOW;
  ldap_set_option (ld, LDAP_OPT_X_TLS, &val);
  .
  .
  .
./ldap_test ldaps://w2k3.windows2003.home:636
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP w2k3.windows2003.home:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.1.5:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 8065c90 msgid 1
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 1 (infinite timeout)
wait4msg continue ld 8065c90 msgid 1 all 1
** ld 8065c90 Connections:
* host: w2k3.windows2003.home  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun  5 23:02:11 2007
** ld 8065c90 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 8065c90 Response Queue:
   Empty
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90 NULL
ldap_int_select
read1msg: ld 8065c90 msgid 1 all 1
ber_get_next failed.
ldap_err2string
ldap_test Error while setting start_tls for ldap server: Can't contact
LDAPserver
ldap_free_request (origid 1, msgid 1)ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
./ldap_test ldaps://w2k3.windows2003.home:389
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd
ldap_createldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_requestldap_new_connection 1 1 0
ldap_int_open_connectionldap_connect_to_host: TCP
w2k3.windows2003.home:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.1.5:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 8065c90 msgid 1
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 1 (infinite timeout)
wait4msg continue ld 8065c90 msgid 1 all 1
** ld 8065c90 Connections:
* host: w2k3.windows2003.home  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun  5 23:00:34 2007
** ld 8065c90 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 8065c90 Response Queue:
   Empty
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90 NULL
ldap_int_select
read1msg: ld 8065c90 msgid 1 all 1
read1msg: ld 8065c90 msgid 1 message type extended-result
new result:  res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 8065c90 0 new referrals
read1msg:  mark request completed, ld 8065c90 msgid 1
request done: ld 8065c90 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20,
subject:/CN=w2k3.windows2003.home,
issuer:/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
With ~/.ldaprc
TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:389
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd
ldap_createldap_extended_operation_sldap_extended_operationldap_send_initial_requestldap_new_connection
1 1 0ldap_int_o
pen_connection
ldap_connect_to_host: TCP w2k3.windows2003.home:389
ldap_new_socket: 4ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.1.5:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 8065c90 msgid 1
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 1 (infinite timeout)
wait4msg continue ld 8065c90 msgid 1 all 1
** ld 8065c90 Connections:
* host: w2k3.windows2003.home  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun  5 23:04:26 2007
** ld 8065c90 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 8065c90 Response Queue:
   Empty
ldap_chkResponseList ld 8065c90 msgid 1 all 1
ldap_chkResponseList returns ld 8065c90 NULL
ldap_int_select
read1msg: ld 8065c90 msgid 1 all 1
read1msg: ld 8065c90 msgid 1 message type extended-result
new result:  res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 8065c90 0 new referrals
read1msg:  mark request completed, ld 8065c90 msgid 1
request done: ld 8065c90 msgid 1res_errno: 0, res_error: <>, res_matched:
<>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20,
subject:/CN=w2k3.windows2003.home, issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer
certificateTLS certificate verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home, issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21,
subject:/CN=w2k3.windows2003.home, issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to verify the first
certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer ertificate.
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 8065c90 msgid 2
ldap_chkResponseList ld 8065c90 msgid 2 all 1
ldap_chkResponseList returns ld 8065c90 NULL
wait4msg ld 8065c90 msgid 2 (infinite timeout)
wait4msg continue ld 8065c90 msgid 2 all 1
** ld 8065c90 Connections:
* host: w2k3.windows2003.home  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun  5 23:04:26 2007
** ld 8065c90 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** ld 8065c90 Response Queue:   Empty
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ldap_debug = -1 /*LDAP_DEBUG_ANY */ ;
  (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
  ldap_initialize(ld,argv[1]);
  val = LDAP_VERSION3;
  (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val);
  (void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON);
  val = LDAP_OPT_X_TLS_ALLOW;
  ldap_set_option (ld,LDAP_OPT_X_TLS, &val);
  .
  .
  .
./ldap_test ldaps://w2k3.windows2003.home:636
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd
ldap_create
ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636)
ldap_err2string
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP w2k3.windows2003.home:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.1.5:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20,
subject:/CN=w2k3.windows2003.home,
issuer:/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string Can'tcontact LDAP server
./ldap_test ldaps://w2k3.windows2003.home:389
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd
ldap_create
ldap_url_parse_ext(ldaps://w2k3.windows2003.home:389)
ldap_err2string
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP w2k3.windows2003.home:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.1.5:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS: can't connect.
ldap_err2string Can'tcontact LDAP server
With ~/.ldaprc
TLS_REQCERT ALLOW
./ldap_test ldaps://w2k3.windows2003.home:636
"DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd
ldap_create
ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636)
ldap_err2string
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP w2k3.windows2003.home:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 192.168.1.5:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20,
subject:/CN=w2k3.windows2003.home, issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer
certificateTLS certificate verification: depth: 0, err: 27,
subject:/CN=w2k3.windows2003.home, issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21,
subject:/CN=w2k3.windows2003.home, issuer:
/DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to verify the first
certificateTLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec ATLS trace:
SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 8065c58 msgid 1
ldap_chkResponseList ld 8065c58 msgid 1 all 1
ldap_chkResponseList returns ld 8065c58 NULL
wait4msg ld 8065c58 msgid 1 (infinite timeout)
wait4msg continue ld 8065c58 msgid 1 all 1
** ld 8065c58 Connections:
* host: w2k3.windows2003.home  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Jun  5 22:55:02 2007
** ld 8065c58 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 8065c58 Response Queue:
   Empty