Thanks for your reply, Hallvard.
On Tue, Feb 28, 2012 at 6:23 PM, Hallvard B Furuseth < h.b.furuseth@usit.uio.no> wrote:
Possibly the answer lies in the code you did not show: Create an LDAP* (with which url/host?), connect, bind, unbind.
The complete code is quite long. But the essential parts are here. After these options are set, it goes with "ldap_start_tls_s(ldapHandle, NULL, NULL)" and "ldap_sasl_bind(ldapHandle, username, LDAP_SASL_SIMPLE, &password_ber, NULL, NULL, &msgid)". And if all is well with bind and search, then an unbind follows.
Do you use the same LDAP* connection for both "bindings"?
Its options are set when it is initialized. Try to unbind and then create a new LDAP*.
It is guaranteed that every bind is paired with an unbind operation. No doubt about that. Furthermore, these cert options are said to be global, having nothing to do with any specific ldap handle.
Just did some additional tests:
require_cert = LDAP_OPT_X_TLS_NEVER; printf("%s(), %d: require_cert is %d\n", __func__, __LINE__, require_cert); rc2 = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &require_cert); ERR_IF ( rc2 != LDAP_OPT_SUCCESS );
require_cert = LDAP_OPT_X_TLS_DEMAND; printf("%s(), %d: require_cert is %d\n", __func__, __LINE__, require_cert); rc2 = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &require_cert); ERR_IF ( rc2 != LDAP_OPT_SUCCESS );
...... // binding follows here
This time, the binding fails as expected (because I haven't created any cert file yet). So it looks the initial setting of this cert option doesn't let the later setting of the same option skipped. But why the second binding can succeed using LDAP_OPT_X_TLS_DEMAND after a successful binding using LDAP_OPT_X_TLS_NEVER?
Very confused here...
Looking forward to more suggestions, Qiang