Hi Howard,
You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure). So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:
tlso_init() Line 148 C tls_init(tls_impl * impl=0x08bfe650) Line 168 C ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829 C ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448 C ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487 C ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option. Any clue here?
Please consider the environment before printing this email -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, January 25, 2016 3:45 PM To: Aleksandar Karalejić aleksandar.karalejic@pstech.rs; openldap-technical@openldap.org Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar