Hi Howard,
You proposed to set option for certificate file and key file before connection is
established. I already did this. Issue that I found is "some" mismatch between
global structure (initiated in ldap_initialize function, or, precisely it is getopts found
in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is
member of LDAP (precisely, ld_options is member of ldap_common, which is the member of
ldap structure).
So, ld_options will contain all data that are set by set_options function. Unfortunately,
deep in the call stack:
tlso_init() Line 148 C
tls_init(tls_impl * impl=0x08bfe650) Line 168 C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc *
srv=0x0b935c08) Line 829 C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc
* srv=0x0b935c08, int async=0) Line 448 C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int
use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line
487 C
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char *
dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char *
mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000,
ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT()
which does not contain values set by set_option.
Any clue here?
Please consider the environment before printing this email
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic(a)pstech.rs>;
openldap-technical(a)openldap.org
Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client
certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing
ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular,
you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN ->
LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT ->
LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG ->
fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB ->
my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to
send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE
(sending the abs path to the .pem file) but nothing. Also, I saw that
this parameter was not taken into account - it looks like ssl_ctx
object used for ssl_connect does not include path to the file (like
two global structures used for setting up ctx know nothing about each
other.)
Can you, help me with this?
Regards,
Aleksandar
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/