Hi, i am trying to write my own client which connects to an active directory and searches for an user. So far it works, i call "ldap_initialize", set version 3, "ldap_simple_bind_s" and then search the directory. Now i want the connection to be secure by executing a "Simple TLS
handshake
". I changed my hostname variable to "ldaps://ip:636" and tried "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact ldap server" error.
When using ldaps:// libldap will perform the TLS Handshake automatically
before
sending the first LDAP request to the server. So calling ldap_start_tls_s
() on
a ldaps:// connection is wrong and results in the above error.
ldap_start_tls_s is for initiating the TLS Handshake on a "normal" ldap:// connection.
See http://www.openldap.org/faq/data/cache/605.html for details.
I think my active directory is configured the right way because with JXplorer it works over ssl and port 636.
Does anyone know which functions i have to call so a successful tls connection will be set up?
If really want to use ldaps:// then specifying the ldaps:// URI in ldap_initialize should be enough. Otherwise use a "ldap://" URI + ldap_start_tls_s
Ralf
Hi, thank you, thats some good advice. So i will try now with "ldap://..." and ldap_start_tls_s. Unfortunately now i get the error "Connect error" from ldap_start_tls_s. I set the option "LDAP_OPT_X_TLS_ALLOW" but that changes nothing. Since i am using my own client i don't have any ldaprc or ldap.conf files....maybe i have to set some options in my client to tell it to use simple tls handshake? Wireshark shows me that the client sends a "extendedReq(1) LDAP_START_TLS_OID" package to which the server answeres. Then the "Client hello" and "Server hello" with the servers certificate appears. After that the client sends a "Alert (Level: Fatal, Description: Unkown CA) package. Short after that the server resets the connection. I enabled debugging with the option "LDAP_OPT_DEBUG_LEVEL" and now i see a message, that the client is expexting a local issuer certificate which it can't find. Is there a way to tell the client that he won't get an own certificate?
Regards Martin DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company.
Thank You.