LDAP authentication was working fine when I had single CA certificate at my client machine. I was using
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_cacert_file))
to set the path of CA certificate. Now, there are multiple CA certificates in my certificate hosting path. I tried by reading all the files and then assign the first one using the set option above and if it fails, I perform ldap_unbind and then create a fresh
request and set all the options before calling "ldap_start_tls_s". So the steps are:
1. ld = ldap_init() 2. ldap_set_option for number of options including LDAP_OPT_X_TLS_CACERTFILE which points to first file in the directory containing multiple CA certificates 3. ldap_start_tls_s(ld, NULL, NULL) 4. If step 3 is successful continue with normal operation
5. If step 3 fails, ldap_unbind (ld), start from step1 again except that LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as input.
Is there anything wrong in this? Is there any better approach for this?
Thanks, Sachin
On Wed, 10 Aug 2011, sachin mishra wrote:
- If step 3 fails, ldap_unbind (ld), start from step1 again except that LDAP_OPT_X_TLS_CACERTFILE will now have the next entry in the directory as input.
Is there anything wrong in this? Is there any better approach for this?
In most widely used applications, you'd probably be better off NOT handling TLS configuration, and just referring the user to appropriate ldap.conf(5)-syntax files and/or environment variables. Users tend to have personalized (and varying) security postures, and I'm a believer in the classic "give them rope" philosophy.
Now, maybe you expose some sort of nice interface to the ldap.conf(5) options, or perhaps you have an internal application and you really do want to (partially?) hard code the TLS configuration. In that case, I'd recommend you try using LDAP_OPT_X_TLS_CACERTDIR instead, and let the crypto library handle building the whole CA structure and the verification. This option is documented under ldap_set_option(3).
Obviously the method you write will (eventually) work, but it comes with needless cost and complexity.
(Please also note that this could be combined: you could remove your CA handling code, and still set a TLS_CACERTDIR in ldap.conf(5).)
openldap-technical@openldap.org