Thank you so much, Rich, for your help.
Do you know if there are existing tools (perhaps already bundled with OpenSSL) that I can run to extract the CA certs to .pem files from /path/to/ldap_certdb?
certutil -d /path/to/ldap_certdb -L # list the certs
certutil -d /path/to/ldap_certdb -L -n "name of CA" -a > cacert.pem # extract named CA cert to pem file
Via OpenLDAP client, I’ve been able to connect to Microsoft Active Directory Server over SSL by setting this the CACERTFILE option, like this:
ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, cert_file); ß this works
However, I am still NOT able to accomplish the same by setting the CACERTDIR option
ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, cert_dir); ß this does NOT work
When option LDAP_OPT_X_TLS_CACERTDIR is used, I am getting this error:
slapd-search PID=7083: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I am just wondering if OpenSSL looks for specific file names (or specific patterns of file names) under the cert_dir?
Here’s my test using openssl from command line to test SSL connectivity to Microsoft Active Directory Server over SSL.
Please note the highlighted texts. This test was run on a Linux machine.
Note that if I specify -CAfile option, the connection was successful.
But if I use -CApath option, the connection would fail with error “Verify return code: 21 (unable to verify the first certificate)”.
Any input/feedback would be much appreciated.
Thanks.
Daisy
% pwd
/home/dmadmin/ldap_certdb
%
% ls -altr
total 12
drwx------ 28 dmadmin dmadmin 4096 Sep 1 13:41 ../
-rw-r--r-- 1 dmadmin dmadmin 1692 Sep 1 14:56 adrootca.pem
drwxr-xr-x 2 dmadmin dmadmin 4096 Sep 1 14:56 ./
%
################################################################
# asn1parse is to verify that openssl can parse the PEM file
################################################################
% openssl asn1parse -inform PEM -in ./adrootca.pem
0:d=0 hl=4 l=1204 cons: SEQUENCE
4:d=1 hl=4 l= 924 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :61DA1E03CCBF4A954385F1079D134B5E
31:d=2 hl=2 l= 13 cons: SEQUENCE
33:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
44:d=3 hl=2 l= 0 prim: NULL
46:d=2 hl=2 l= 93 cons: SEQUENCE
48:d=3 hl=2 l= 19 cons: SET
50:d=4 hl=2 l= 17 cons: SEQUENCE
52:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
64:d=5 hl=2 l= 3 prim: IA5STRING :com
69:d=3 hl=2 l= 24 cons: SET
71:d=4 hl=2 l= 22 cons: SEQUENCE
73:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
85:d=5 hl=2 l= 8 prim: IA5STRING :dctmlabs
95:d=3 hl=2 l= 25 cons: SET
97:d=4 hl=2 l= 23 cons: SEQUENCE
99:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
111:d=5 hl=2 l= 9 prim: IA5STRING :adldap112
122:d=3 hl=2 l= 17 cons: SET
124:d=4 hl=2 l= 15 cons: SEQUENCE
126:d=5 hl=2 l= 3 prim: OBJECT :commonName
131:d=5 hl=2 l= 8 prim: PRINTABLESTRING :adrootca
141:d=2 hl=2 l= 30 cons: SEQUENCE
143:d=3 hl=2 l= 13 prim: UTCTIME :100914235940Z
158:d=3 hl=2 l= 13 prim: UTCTIME :150915000848Z
173:d=2 hl=2 l= 93 cons: SEQUENCE
175:d=3 hl=2 l= 19 cons: SET
177:d=4 hl=2 l= 17 cons: SEQUENCE
179:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
191:d=5 hl=2 l= 3 prim: IA5STRING :com
196:d=3 hl=2 l= 24 cons: SET
198:d=4 hl=2 l= 22 cons: SEQUENCE
200:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
212:d=5 hl=2 l= 8 prim: IA5STRING :dctmlabs
222:d=3 hl=2 l= 25 cons: SET
224:d=4 hl=2 l= 23 cons: SEQUENCE
226:d=5 hl=2 l= 10 prim: OBJECT :domainComponent
238:d=5 hl=2 l= 9 prim: IA5STRING :adldap112
249:d=3 hl=2 l= 17 cons: SET
251:d=4 hl=2 l= 15 cons: SEQUENCE
253:d=5 hl=2 l= 3 prim: OBJECT :commonName
258:d=5 hl=2 l= 8 prim: PRINTABLESTRING :adrootca
268:d=2 hl=4 l= 290 cons: SEQUENCE
272:d=3 hl=2 l= 13 cons: SEQUENCE
274:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
285:d=4 hl=2 l= 0 prim: NULL
287:d=3 hl=4 l= 271 prim: BIT STRING
562:d=2 hl=4 l= 366 cons: cont [ 3 ]
566:d=3 hl=4 l= 362 cons: SEQUENCE
570:d=4 hl=2 l= 11 cons: SEQUENCE
572:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
577:d=5 hl=2 l= 4 prim: OCTET STRING
583:d=4 hl=2 l= 15 cons: SEQUENCE
585:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
590:d=5 hl=2 l= 1 prim: BOOLEAN :255
593:d=5 hl=2 l= 5 prim: OCTET STRING
600:d=4 hl=2 l= 29 cons: SEQUENCE
602:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
607:d=5 hl=2 l= 22 prim: OCTET STRING
631:d=4 hl=4 l= 279 cons: SEQUENCE
635:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
640:d=5 hl=4 l= 270 prim: OCTET STRING
914:d=4 hl=2 l= 16 cons: SEQUENCE
916:d=5 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.1
927:d=5 hl=2 l= 3 prim: OCTET STRING
932:d=1 hl=2 l= 13 cons: SEQUENCE
934:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
945:d=2 hl=2 l= 0 prim: NULL
947:d=1 hl=4 l= 257 prim: BIT STRING
%
% pwd
/home/dmadmin/ldap_certdb
%
% ls -altr
total 12
drwx------ 28 dmadmin dmadmin 4096 Sep 1 13:41 ../
-rw-r--r-- 1 dmadmin dmadmin 1692 Sep 1 14:56 adrootca.pem
drwxr-xr-x 2 dmadmin dmadmin 4096 Sep 1 14:56 ./
%
################################################################
# this is to show that we can connect to MS AD over SSL using
# -CAfile option
################################################################
% openssl s_client -CAfile /home/dmadmin/ldap_certdb/adrootca.pem -connect ldap112.adldap112.dctmlabs.com:636
CONNECTED(00000003)
depth=1 /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
verify return:1
depth=0 /CN=Ldap112.adldap112.dctmlabs.com
verify return:1
---
Certificate chain
0 s:/CN=Ldap112.adldap112.dctmlabs.com
i:/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGDjCCBPagAwIBAgIKYQK0zwAAAAAAAjANBgkqhkiG9w0BAQUFADBdMRMwEQYK
CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZGN0bWxhYnMxGTAXBgoJ
kiaJk/IsZAEZFglhZGxkYXAxMTIxETAPBgNVBAMTCGFkcm9vdGNhMB4XDTEwMDkx
NTAwMDYxM1oXDTExMDkxNTAwMDYxM1owKTEnMCUGA1UEAxMeTGRhcDExMi5hZGxk
YXAxMTIuZGN0bWxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
Cegjeu/QvyTVawtFHKG28fLIKCBIK3dDWvhu+FqWRfR3L501iveTvfwT4AlR81QN
PImgg3btl5Z0LmN5Z/sccsQAPNEcgDNNP3Zv5G6AXx4Gpo7xhtr8YnYDoPGAzBGm
vXlb1TEA8fdrNwqY6Mf5PxwKKDc80Y3EFQaefUhnpwIDAQABo4IDhjCCA4IwCwYD
VR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqG
SIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUR2vcMrg6
VIc9GWdVhcJQ6RMK6z8wLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8A
bgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFAjwh8G60+A+gE5OmKRW48UVixJT
MIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aBvWxkYXA6Ly8vQ049YWRyb290
Y2EsQ049TGRhcDExMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0
bWxhYnMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2xkYXAxMTIuYWRs
ZGFwMTEyLmRjdG1sYWJzLmNvbS9DZXJ0RW5yb2xsL2Fkcm9vdGNhLmNybDCCATQG
CCsGAQUFBwEBBIIBJjCCASIwgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1hZHJv
b3RjYSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0bWxhYnMsREM9
Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u
QXV0aG9yaXR5MGgGCCsGAQUFBzAChlxodHRwOi8vbGRhcDExMi5hZGxkYXAxMTIu
ZGN0bWxhYnMuY29tL0NlcnRFbnJvbGwvTGRhcDExMi5hZGxkYXAxMTIuZGN0bWxh
YnMuY29tX2Fkcm9vdGNhLmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH
AwEwSgYDVR0RBEMwQaAfBgkrBgEEAYI3GQGgEgQQIKbIE/h5Z0O8me1tD3x+PYIe
TGRhcDExMi5hZGxkYXAxMTIuZGN0bWxhYnMuY29tMA0GCSqGSIb3DQEBBQUAA4IB
AQA5oCkrV1fXoH+4yuWnifXnsOKVx8hKKBmzG6CJN4xld06HoyYgYvN9xLtJ1k44
3QSddouNNmvh3ciC2nwjpBQMG3L1kWhyFvgNqmF3nYxZT7HVM8/6ZramuPEd+rP/
YiQdK9udHbshQ1H6Q0I4LvXOJ4RutWALmDP0SZVJNhZrMRx01beTC1lvL7ZeTxlj
VqEl1eGKUbdvYSO2AdRFrDa8wbPxvyLQimoEzpkOQ8K4oQmw4RPOESExZFlZMcrA
eTahGzk0nV4q6faqqHF+0zkNUGR3F2QUmP6sngRT24cA4JMGNd9ElpvP6R/dPP/X
X30TPzHjRFWW7H6QlMzHCaGw
-----END CERTIFICATE-----
subject=/CN=Ldap112.adldap112.dctmlabs.com
issuer=/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
---
SSL handshake has read 4876 bytes and written 336 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 241B0000644FB22AA0610F736E0E6F004526943A9F0935F16BDBC9FBB1F07113
Session-ID-ctx:
Master-Key: 8179FE65F974D286ED8550213CD8F2ED382CC62BBC03C1C50173E78CC6A6C322273882477FAE62546BC3145978C1F4DD
Key-Arg : None
Krb5 Principal: None
Start Time: 1314914412
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0
%
% pwd
/home/dmadmin/ldap_certdb
%
% ls -altr
total 12
drwx------ 28 dmadmin dmadmin 4096 Sep 1 13:41 ../
-rw-r--r-- 1 dmadmin dmadmin 1692 Sep 1 14:56 adrootca.pem
drwxr-xr-x 2 dmadmin dmadmin 4096 Sep 1 14:56 ./
%
################################################################
# however, using –CApath option to connect to MS AD over SSL would
# result in failure
################################################################
% openssl s_client -CApath /home/dmadmin/ldap_certdb -connect ldap112.adldap112.dctmlabs.com:636
CONNECTED(00000003)
depth=0 /CN=Ldap112.adldap112.dctmlabs.com
verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com
verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=Ldap112.adldap112.dctmlabs.com
verify error:num=21:unable to verify the first certificate verify return:1
---
Certificate chain
0 s:/CN=Ldap112.adldap112.dctmlabs.com
i:/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGDjCCBPagAwIBAgIKYQK0zwAAAAAAAjANBgkqhkiG9w0BAQUFADBdMRMwEQYK
CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZGN0bWxhYnMxGTAXBgoJ
kiaJk/IsZAEZFglhZGxkYXAxMTIxETAPBgNVBAMTCGFkcm9vdGNhMB4XDTEwMDkx
NTAwMDYxM1oXDTExMDkxNTAwMDYxM1owKTEnMCUGA1UEAxMeTGRhcDExMi5hZGxk
YXAxMTIuZGN0bWxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP
Cegjeu/QvyTVawtFHKG28fLIKCBIK3dDWvhu+FqWRfR3L501iveTvfwT4AlR81QN
PImgg3btl5Z0LmN5Z/sccsQAPNEcgDNNP3Zv5G6AXx4Gpo7xhtr8YnYDoPGAzBGm
vXlb1TEA8fdrNwqY6Mf5PxwKKDc80Y3EFQaefUhnpwIDAQABo4IDhjCCA4IwCwYD
VR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqG
SIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUR2vcMrg6
VIc9GWdVhcJQ6RMK6z8wLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8A
bgB0AHIAbwBsAGwAZQByMB8GA1UdIwQYMBaAFAjwh8G60+A+gE5OmKRW48UVixJT
MIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aBvWxkYXA6Ly8vQ049YWRyb290
Y2EsQ049TGRhcDExMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0
bWxhYnMsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2xkYXAxMTIuYWRs
ZGFwMTEyLmRjdG1sYWJzLmNvbS9DZXJ0RW5yb2xsL2Fkcm9vdGNhLmNybDCCATQG
CCsGAQUFBwEBBIIBJjCCASIwgbUGCCsGAQUFBzAChoGobGRhcDovLy9DTj1hZHJv
b3RjYSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZGxkYXAxMTIsREM9ZGN0bWxhYnMsREM9
Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u
QXV0aG9yaXR5MGgGCCsGAQUFBzAChlxodHRwOi8vbGRhcDExMi5hZGxkYXAxMTIu
ZGN0bWxhYnMuY29tL0NlcnRFbnJvbGwvTGRhcDExMi5hZGxkYXAxMTIuZGN0bWxh
YnMuY29tX2Fkcm9vdGNhLmNydDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH
AwEwSgYDVR0RBEMwQaAfBgkrBgEEAYI3GQGgEgQQIKbIE/h5Z0O8me1tD3x+PYIe
TGRhcDExMi5hZGxkYXAxMTIuZGN0bWxhYnMuY29tMA0GCSqGSIb3DQEBBQUAA4IB
AQA5oCkrV1fXoH+4yuWnifXnsOKVx8hKKBmzG6CJN4xld06HoyYgYvN9xLtJ1k44
3QSddouNNmvh3ciC2nwjpBQMG3L1kWhyFvgNqmF3nYxZT7HVM8/6ZramuPEd+rP/
YiQdK9udHbshQ1H6Q0I4LvXOJ4RutWALmDP0SZVJNhZrMRx01beTC1lvL7ZeTxlj
VqEl1eGKUbdvYSO2AdRFrDa8wbPxvyLQimoEzpkOQ8K4oQmw4RPOESExZFlZMcrA
eTahGzk0nV4q6faqqHF+0zkNUGR3F2QUmP6sngRT24cA4JMGNd9ElpvP6R/dPP/X
X30TPzHjRFWW7H6QlMzHCaGw
-----END CERTIFICATE-----
subject=/CN=Ldap112.adldap112.dctmlabs.com
issuer=/DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=dctmlabs/DC=adldap112/CN=adrootca
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
---
SSL handshake has read 4876 bytes and written 336 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: BF23000064323B11B2099A50A14680DE060F074784C443841FB5403C7C3D98EA
Session-ID-ctx:
Master-Key: D81EF5A0B204DB8E5DDAED7EF38170920787D13B45245EF7C4CD199A61F44745F72EF7EAFCD8DDFF241843253A64708B
Key-Arg : None
Krb5 Principal: None
Start Time: 1314914477
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0
%
%
From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Wednesday, August 31, 2011 7:31 AM
To: Wu, Daisy
Cc: richm@stanfordalumni.org; openldap-technical@openldap.org; openldap-devel-request@openldap.org
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL failed
On 08/31/2011 08:23 AM, daisy.wu@emc.com wrote:
Thank you Rich.
extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using the cert/key db.
Do you know if there are existing tools (perhaps already bundled with OpenSSL) that I can run to extract the CA certs to .pem files from /path/to/ldap_certdb?
certutil -d /path/to/ldap_certdb -L # list the certs
certutil -d /path/to/ldap_certdb -L -n "name of CA" -a > cacert.pem # extract named CA cert to pem file
Thanks in advance.
Daisy
From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Wednesday, August 31, 2011 6:14 AM
To: Wu, Daisy
Cc: richm@stanfordalumni.org; openldap-technical@openldap.org; openldap-devel-request@openldap.org
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL failed
On 08/30/2011 11:26 PM, daisy.wu@emc.com wrote:
Thank you so much, Rich, for your reply.
In this call
char *cert_path="/path/to/ldap_certdb";
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",
cert_path, rc, ldap_err2string(rc));
/path/to/ldap_certdb is actually a directory, the files under it are like this:
% ls –altr /path/to/ldap_certdb
total 56
-rw-r--r-- 1 dmadmin dmadmin 16384 Sep 14 2010 secmod.db
-rw-r--r-- 1 dmadmin dmadmin 16384 Sep 14 2010 key3.db
-rw-r--r-- 1 dmadmin dmadmin 16384 Sep 14 2010 cert7.db
drwx------ 27 dmadmin dmadmin 4096 Aug 30 22:14 ../
drwxr-xr-x 2 dmadmin dmadmin 4096 Aug 30 22:14 ./
%
My simple test program (for testing LDAP SSL connection to AD server) using Mozilla LDAP C-SDK looks something like this (this test program works, connecting to AD over SSL works fine):
Right. The reason it works fine is because mozldap uses moznss for crypto - you are using a build of openldap that uses openssl for crypto. You will need to either rebuild openldap to use moznss for crypto, or extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using the cert/key db.
if (ldapssl_client_init("/path/to/ldap_certdb", NULL ) < 0)
{
perror("ldapssl_client_init");
return 1;
}
ld = ldapssl_init( host, port, 1);
if ( ld == NULL )
{
perror("ldapssl_init");
return 1;
}
if ((rc = ldap_simple_bind_s( ld, bind_dn, bind_password)) != LDAP_SUCCESS)
{
ldap_perror(ld, "ldap_simple_bind_s");
return 1;
}
However, the following equivalent code using OpenLDAP (built with RSA Share Adpator and RSA MES) does not work. It failed with error “ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n",
version, rc, ldap_err2string(rc));
rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",
chaserefs, rc, ldap_err2string(rc));
int debug_flag1 = -1; // LDAP_DEBUG_ANY ;
rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);
printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n",
debug_flag1, rc, ldap_err2string(rc));
char *cert_path="/path/to/ldap_certdb"; // this is directory
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",
cert_path, rc, ldap_err2string(rc));
int reqcert = LDAP_OPT_X_TLS_ALLOW;
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n",
reqcert, rc, ldap_err2string(rc));
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
From: Rich Megginson [mailto:rich.megginson@gmail.com]
Sent: Tuesday, August 30, 2011 6:27 PM
To: Wu, Daisy
Cc: openldap-technical@openldap.org; openldap-devel-request@openldap.org
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL failed
On 08/30/2011 07:09 PM, daisy.wu@emc.com wrote:
I am trying to write a simple client test program using OpenLDAP client API to connect to Microsoft Active Directory Server over SSL.
Below is code snippet. The program failed to connect.
It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I know there’s no problem with LDAP certificate store /path/to/ldap_certdb because a simple LDAP client test program written in Mozilla LDAP C-SDK worked fine connecting to this same AD server, over SSL.
I need to know if I am using the correct OpenLDAP client API calls.
Yes, but it looks like you are using OpenLDAP built with openssl, not Mozilla NSS. If your OpenLDAP is provided by some vendor, and you cannot change/rebuild with moznss support, you'll have to export the CA certificate(s) from the /path/to/ldap_certdb and pass them to OpenLDAP with either a single file and LDAP_OPT_X_TLS_CACERTFILE or an openssl style ca cert dir with LDAP_OPT_X_TLS_CACERTDIR.
Any input would be much appreciated.
Thanks.
Source Code:
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n",
version, rc, ldap_err2string(rc));
rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",
chaserefs, rc, ldap_err2string(rc));
int debug_flag1 = -1; // LDAP_DEBUG_ANY ;
rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);
printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n",
debug_flag1, rc, ldap_err2string(rc));
char *cert_path="/path/to/ldap_certdb";
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",
cert_path, rc, ldap_err2string(rc));
int reqcert = LDAP_OPT_X_TLS_ALLOW;
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n",
reqcert, rc, ldap_err2string(rc));
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
Here’s program output:
rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, /path/to/ldap_certdb)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success
PID=4781 - Search(2): base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com", filter="cn=aduser2*" attr="cn".
slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
From: Wu, Daisy
Sent: Friday, August 26, 2011 4:53 PM
To: openldap-technical@openldap.org; 'openldap-devel-request@openldap.org'
Subject: Need sample OpenLDAP client test program connecting to LDAP server over SSL
Hi, OpenLDAP developers,
Do you have any sample test programs (or code snippets) that uses OpenLDAP client API to connect to LDAP server over SSL?
Thanks in advance.
Daisy