7:02 p.m.
Hi, folks
I am using the APIs from openldap and recently run into a problem which upset me.
Following is the framework of the function.
ldaps_func()
{
LDAP* ld = NULL;
char * uri ="ldaps://xxx.xxx.xxx:636";
.....
ldap_set_option(...); //using LDAP v3
ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/
ldap_initialize(&ld, uri);
.....
ldap_simple_bind(.....);
ldap_search_ext(...);
......
ldap_unbind(ld);
.....
return 0;
}
Above function is called in a while loop to authenticate users to a LDAPS server when
authentication request comes up. This function works fine. BUT after one successful
authentication, if I delete CA certificates of server's certificate under
/tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no
authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been
deleted.
Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate
"certificate change".
Is the openssl library cache someting??
Any one has any ideas about this? I will really appreciate it.
Thanks,
Jacky
6:17 p.m.
Seems nobody run into this issue??
At 2010-09-20 10:02:10,ctosgh <ctosgh(a)126.com> wrote:
Hi, folks
I am using the APIs from openldap and recently run into a problem which upset me.
Following is the framework of the function.
ldaps_func()
{
LDAP* ld = NULL;
char * uri ="ldaps://xxx.xxx.xxx:636";
.....
ldap_set_option(...); //using LDAP v3
ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/
ldap_initialize(&ld, uri);
.....
ldap_simple_bind(.....);
ldap_search_ext(...);
......
ldap_unbind(ld);
.....
return 0;
}
Above function is called in a while loop to authenticate users to a LDAPS server when
authentication request comes up. This function works fine. BUT after one successful
authentication, if I delete CA certificates of server's certificate under
/tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no
authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been
deleted.
Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate
"certificate change".
Is the openssl library cache someting??
Any one has any ideas about this? I will really appreciate it.
Thanks,
Jacky
全国最低价,天天在家冲照片,24小时发货上门!
6:36 p.m.
It certainly like it's treating the certs like slapd.conf: read once and remember.
Well done on testing this - someone else asked this a while back (although less
technical).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs(a)apollogrp.edu
________________________________
From: openldap-technical-bounces(a)OpenLDAP.org
<openldap-technical-bounces(a)OpenLDAP.org>
To: ctosgh <ctosgh(a)126.com>
Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Mon Sep 20 18:17:48 2010
Subject: Re:A LDAPS related issue
Seems nobody run into this issue??
At 2010-09-20 10:02:10,ctosgh <ctosgh(a)126.com> wrote:
Hi, folks
I am using the APIs from openldap and recently run into a problem which upset me.
Following is the framework of the function.
ldaps_func()
{
LDAP* ld = NULL;
char * uri =" ldaps://xxx.xxx.xxx:636<ldaps://xxx.xxx.xxx:636/>";
.....
ldap_set_option(...); //using LDAP v3
ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to /tmp/ldapsCA/
ldap_initialize(&ld, uri);
.....
ldap_simple_bind(.....);
ldap_search_ext(...);
......
ldap_unbind(ld);
.....
return 0;
}
Above function is called in a while loop to authenticate users to a LDAPS server when
authentication request comes up. This function works fine. BUT after one successful
authentication, if I delete CA certificates of server's certificate under
/tmp/ldapsCA/, subsequent authentications will STILL succeed. If restart this daemon, no
authentication will succeed, because CA certificates under /tmp/ldapsCA/ has been
deleted.
Why I delete CA certificates under /tmp/ldapsCA/? I just want to simulate
"certificate change".
Is the openssl library cache someting??
Any one has any ideas about this? I will really appreciate it.
Thanks,
Jacky
________________________________
全国最低价,天天在家冲照片,24小时发货上门!<http://yxp.163.com/photo/ep.html?sss=fromyx091...
________________________________
全国最低价,天天在家冲照片,24小时发货上门!<http://yxp.163.com/photo/ep.html?sss=fromyx091...
________________________________
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
12:33 a.m.
On Tuesday 21 September 2010 03:17:48 ctosgh wrote:
Seems nobody run into this issue??
At 2010-09-20 10:02:10,ctosgh <ctosgh(a)126.com> wrote:
Hi, folks
I am using the APIs from openldap and recently run into a problem
which upset me. Following is the framework of the function.
ldaps_func()
{
LDAP* ld = NULL;
char * uri ="ldaps://xxx.xxx.xxx:636";
.....
ldap_set_option(...); //using LDAP v3
ldap_set_option(...); // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
ldap_set_option(...); // set LDAP_OPT_X_TLS_CACERTDIR to/tmp/ldapsCA/
If you
really want the TLS context recreated with each iteration I
think you can just call:
ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
after the above calls.
ldap_initialize(&ld, uri);
.....
ldap_simple_bind(.....);
ldap_search_ext(...);
......
ldap_unbind(ld);
.....
return 0;
}
Above function is called in a while loop to authenticate users to a
LDAPS server when authentication request comes up. This function
works fine. BUT after one successful authentication, if I delete CA
certificates of server's certificate under /tmp/ldapsCA/, subsequent
authentications will STILL succeed. If restart this daemon, no
authentication will succeed, because CA certificates under
/tmp/ldapsCA/ has been deleted. Why I delete CA certificates under
/tmp/ldapsCA/? I just want to simulate "certificate change". Is the
openssl library cache someting??
Any one has any ideas about this? I will really appreciate it.
Ralf
10:05 a.m.
Ralf Haferkamp wrote:
If you really want the TLS context recreated with each iteration I
think you can just call:
ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
after the above calls.
Ralf, does that really work? I did not manage to get
this working from python-ldap...
Ciao, Michael.
12:52 a.m.
On Wednesday 22 September 2010 19:05:58 Michael Ströder wrote:
Ralf Haferkamp wrote:
> If you really want the TLS context recreated with each iteration I
> think you can just call:
> ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
> after the above calls.
Ralf, does that really work? I did not manage to get
this working from python-ldap...
Last time I checked it did. That was some month
ago. But looking at the
libldap code it might be that LDAP_OPT_ON is probably the wrong value to
pass to it. It seems you need to pass a pointer to an integer. That
integer value is passed as the is_server argument to the functions that
actually initialize the context. So I guess in client code you'd pass a
int pointer to 0.
regards,
Ralf
1:08 a.m.
Ralf,
thanks for your followup on this.
Ralf Haferkamp wrote:
On Wednesday 22 September 2010 19:05:58 Michael Ströder wrote:
> Ralf Haferkamp wrote:
>> If you really want the TLS context recreated with each iteration I
>> think you can just call:
>> ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
>> after the above calls.
>
> Ralf, does that really work? I did not manage to get
> this working from python-ldap...
Last time I checked it did. That was some month ago. But looking at the
libldap code it might be that LDAP_OPT_ON is probably the wrong value to
pass to it. It seems you need to pass a pointer to an integer. That
integer value is passed as the is_server argument to the functions that
actually initialize the context. So I guess in client code you'd pass a
int pointer to 0.
The relevant code excerpts from python-ldap/Modules/options.c are:
[..]
/* integer value options */
if (!PyArg_Parse(value, "i:set_option", &intval))
return 0;
ptr = &intval;
break;
[..]
if (res != LDAP_OPT_SUCCESS) {
option_error(res, "ldap_set_option");
return 0;
}
[..]
That looks like your description. But I'd have to use 0 as the option value?
See complete source here:
http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Mod...
Ciao, Michael.
4:34 a.m.
Am Freitag 24 September 2010, 10:08:32 schrieb Michael Ströder:
Ralf,
thanks for your followup on this.
Ralf Haferkamp wrote:
> On Wednesday 22 September 2010 19:05:58 Michael Ströder wrote:
>> Ralf Haferkamp wrote:
>>> If you really want the TLS context recreated with each iteration I
>>> think you can just call:
>>> ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
>>> after the above calls.
>>
>> Ralf, does that really work? I did not manage to get
>> this working from python-ldap...
>
> Last time I checked it did. That was some month ago. But looking at
> the libldap code it might be that LDAP_OPT_ON is probably the wrong
> value to pass to it. It seems you need to pass a pointer to an
> integer. That integer value is passed as the is_server argument to
> the functions that actually initialize the context. So I guess in
> client code you'd pass a int pointer to 0.
The relevant code excerpts from python-ldap/Modules/options.c are:
[..]
/* integer value options */
if (!PyArg_Parse(value, "i:set_option", &intval))
return 0;
ptr = &intval;
break;
[..]
if (res != LDAP_OPT_SUCCESS) {
option_error(res, "ldap_set_option");
return 0;
}
[..]
That looks like your description. But I'd have to use 0 as the option
value?
I think so. I am not exactly sure what your code does. My knowledge about
Python C bindings is very limited. In plain C you would do this:
int value=0;
[..]
ldap_set_option(ldap, LDAP_OPT_X_TLS_NEWCTX, &value);
to create a new TLS context for a client. For a server context you'd use
any non-zero value. BTW, this is also documented in the
ldap_set_option(3) manpage (surprisingly :)).
regards,
Ralf
2:06 a.m.
Hi, Ralf
Great thanks to you. It works fine~
Thanks,
Jacky
At 2010-09-23 01:05:58,"Michael Ströder" <michael(a)stroeder.com> wrote:
Ralf Haferkamp wrote:
> If you really want the TLS context recreated with each iteration I
> think you can just call:
> ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
> after the above calls.
Ralf, does that really work? I did not manage to get
this working from python-ldap...
Ciao, Michael.
4142
days inactive
4147
days old
openldap-technical@openldap.org
8 comments
4 participants
participants (4)
-
Chris Jacobs -
ctosgh -
Michael Ströder -
Ralf Haferkamp