It certainly like it's treating the certs like slapd.conf: read once and remember.

Well done on testing this - someone else asked this a while back (although less technical).

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661

From: <>
To: ctosgh <>
Cc: <>
Sent: Mon Sep 20 18:17:48 2010
Subject: Re:A LDAPS related issue

Seems nobody run into this issue??


At 2010-09-20 10:02:10,ctosgh <> wrote:
Hi, folks
I am using the APIs from openldap and recently run into a problem which upset me.  Following is the framework of the function.
   LDAP* ld = NULL;
   char * uri =" ldaps://";
   ldap_set_option(...);   //using LDAP v3
   ldap_set_option(...);   // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
   ldap_set_option(...);   // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/
   ldap_initialize(&ld, uri);
   return 0;
Above function is called in a while loop to authenticate users to a LDAPS server when authentication request comes up.  This function works fine. BUT after one successful authentication, if I delete CA certificates of server's certificate under /tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been deleted.
Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate "certificate change".
Is the openssl library cache someting??
Any one has any ideas about this? I will really appreciate it.



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.