Hello,
I have configured LDAP server on linux
with TLS support and was able to fetch data from it using the ldapsearch
utility.
However, when i tried to do this searching
via code i got following errors:
Error at Server Side:
slap_listener_activate(10):
>>> slap_listener(ldaps://)
connection_get(15): got connid=47
connection_read(15): checking for input
on id=47
TLS trace: SSL_accept:before/accept
initialization
TLS trace: SSL_accept:SSLv3 read client
hello A
TLS trace: SSL_accept:SSLv3 write server
hello A
TLS trace: SSL_accept:SSLv3 write certificate
A
TLS trace: SSL_accept:SSLv3 write certificate
request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3
read client certificate A
TLS trace: SSL_accept:error in SSLv3
read client certificate A
connection_get(15): got connid=47
connection_read(15): checking for input
on id=47
TLS trace: SSL3 alert read:fatal:unknown
CA
TLS trace: SSL_accept:failed in SSLv3
read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca s3_pkt.c:1053
connection_read(15): TLS accept failure
error=-1 id=47, closing
connection_closing: readying conn=47
sd=15 for close
connection_close: conn=47 sd=15
Error at Client side:
[root@localhost LDAP1]# ./ldapSearch
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost.localdomain:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1
async: 0
TLS trace: SSL_connect:before/connect
initialization
TLS trace: SSL_connect:SSLv2/v3 write
client hello A
TLS trace: SSL_connect:SSLv3 read server
hello A
TLS certificate verification: depth:
1, err: 19, subject: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad@tcs.com,
issuer: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad@tcs.com
TLS certificate verification: Error,
self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown
CA
TLS trace: SSL_connect:error in SSLv3
read server certificate B
TLS trace: SSL_connect:error in SSLv3
read server certificate B
TLS: can't connect.
ldap_err2string
Error in ldap_start_tls_s -1:Can't
contact LDAP serverTest..1
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
Test..2: -1
ldap_err2string
Failure of LDAP bind -1-Can't contact
LDAP server
[root@localhost LDAP1]#
Snippet of client code for TLS support
used by Me:
ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
&version );
ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
"/root/cacert.pem");
ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE,
"/usr/local/etc/openldap/ldap.client.pem");
ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE,
"/usr/local/etc/openldap/ldap.client.key.pem");
ldap_set_option(ld, LDAP_OPT_REFERRALS
, LDAP_OPT_ON);
val = LDAP_OPT_X_TLS_ALLOW;
ldap_set_option (ld, LDAP_OPT_X_TLS,
&val);
status = ldap_start_tls_s(ld,
NULL, NULL);
Please let me know as to what is missing
in my code that is triggering the above errors.
Also if there are any sample TLS client
code, please let me know where can i get it.
Thanks,
Dhiraj Kumar Prasad
Tata Consultancy Services
Mailto: dhiraj.prasad@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Outsourcing
____________________________________________=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you