Hello,
I'm trying to write a simple LDAP program that uses TLS for communication and am running into problems with the server certificate verification.
Using strace I noticed that the ldapsearch command is able to find the appropriate CA certificate for the server I'm connecting to in my /etc/ssl/certs directory even if the TLS_CACERT setting in ldap.conf points to a different certificate. In my program, however, I receive error 91, which is a Connect error.
Setting TLS_CACERT to the server's CA certificate allows the connection to go through, but that is not feasible as I need to connect to servers with different CAs.
I tried looking through ldapsearch.c to find the secret sauce to get this to work, but was not successful. Can someone point me in the right direction.
Thanks a lot! -berto.
Roberto Aguilar writes:
Using strace I noticed that the ldapsearch command is able to find the appropriate CA certificate for the server I'm connecting to in my /etc/ssl/certs directory even if the TLS_CACERT setting in ldap.conf points to a different certificate.
And you are inspecting the right ldap.conf? On Linux /etc/ldap.conf is for PAM/NSS and /etc/(open)ldap/ldap.conf is for OpenLDAP programs.
In my program, however, I receive error 91, which is a Connect error.
That's a pretty old OpenLDAP. client-side errors like Connect error became negative in OpenLDAP 2.2.
Anyway...
Do you spell the server hostname the same way in your program and in ldapsearch? If your server certificate is for host foo.example.com, connecting to "foo" or "localhost" instead of "foo.example.com" gives a connect error since the hostnames differ.
If you've installed your own OpenLDAP, are you sure ldapsearch and your program are from the same installation (and use the same libldap)? Maybe one is from the system installation and the other from yours. For dynamically loaded libraries, 'ldd <executable>' will tell.
Setting TLS_CACERT to the server's CA certificate allows the connection to go through, but that is not feasible as I need to connect to servers with different CAs.
I tried looking through ldapsearch.c to find the secret sauce to get this to work, but was not successful. Can someone point me in the right direction.
libldap handles it for ldapsearch. If you mean you want to set the CA cert by hand in the program, use rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "<CA cert filename>");
Hallvard B Furuseth wrote:
Roberto Aguilar writes:
Setting TLS_CACERT to the server's CA certificate allows the connection to go through, but that is not feasible as I need to connect to servers with different CAs.
I tried looking through ldapsearch.c to find the secret sauce to get this to work, but was not successful. Can someone point me in the right direction.
libldap handles it for ldapsearch. If you mean you want to set the CA cert by hand in the program, use rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "<CA cert filename>");
Also, as noted in the Admin Guide, you can place multiple CA certs in a single file, and you typically need to do this on clients anyway.
On 6/22/07, Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
That's a pretty old OpenLDAP. client-side errors like Connect error became negative in OpenLDAP 2.2.
Hallvard, thanks for your reply! After you said this I looked about my system and noticed I had two versions of libldap installed; a 2.0 version and a 2.2 version. My program linked against the old one since its file is /usr/lib/libldap.so. On the other hand, if I compile my application with:
gcc -o test test.o /usr/lib/libldap-2.2.so.7
that linked against the new version of the library, which in turn found the certificate automatically as I had hoped.
Thanks so much! -Roberto.
openldap-software@openldap.org
-
Hallvard B Furuseth -
Howard Chu -
Roberto Aguilar