Hello All,
Today I came across a strange problem.
I wrote a program to test ldap ssl/tls connection with OpenLDAP library. Something like the code snippet as follows:
int ret = LDAP_OPT_SUCCESS;
int cert_flag = LDAP_OPT_X_TLS_NEVER;
...
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
ldap_err2string(ret));
}
... // bind to the server
cert_flag = LDAP_OPT_X_TLS_DEMAND;
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
ldap_err2string(ret));
}
... // bind to the server
The first binding is successful, as
expected. However, the second binding is also successful, which is
contrary to my expectation, because I didn't create any cert file yet.
Another
observation here is that if the first binding with LDAP_OPT_X_TLS_NEVER
is removed, and the second binding with LDAP_OPT_X_TLS_DEMAND set is
done right from the beginning, then it will fail, as expected.
So, it seems the first value set to the option
LDAP_OPT_X_TLS_REQUIRE_CERT will override the later values, isn't it? Is
it possible to change this option's value on the fly (means different
bindings use different values for this cert option)?
Thanks,
Qiang