Hello all, I have written a sample code to connect to LDAP server via SSL running on port 10389(ldap) & 10636(ldaps). But the sample application fails to set the options for the SSL connection. I do not want to verify the certificate correctness at this moment. Can someone help fix this sample code??
#include <stdio.h> #define LDAP_DEPRECATED 1 #include <ldap.h>
#define BIND_DN "dc=example,dc=com" #define BIND_PW "secret"
int main() { LDAP *ld; int rc; int reqcert = LDAP_OPT_X_TLS_NEVER; int version = LDAP_VERSION3; int ret(0);
if (ldap_initialize (&ld, "ldap://192.168.1.51:10389")) { perror("ldap_init"); /* no error here */ return(1); } rc = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_PROTOCOL_VERSION failed: %s\n",ldap_err2string(rc)); }
rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: %s\n",ldap_err2string(rc)); }
rc = ldap_start_tls_s(ld, NULL, NULL); if (rc != LDAP_SUCCESS) { printf("ldap_start_tls failed: %s\n",ldap_err2string(rc)); }
rc = ldap_bind_s(ld, BIND_DN, BIND_PW, LDAP_AUTH_SIMPLE);
if( rc != LDAP_SUCCESS ) { fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) ); return( 1 ); } ldap_unbind(ld); }
The program always fails with: *Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server* *ldap_start_tls failed: Not Supported*
The server does support ldaps and ldap+tls. Can some one please help?? -- Ashwin kumar (http://ashwinkumar.me)
Can someone help me with this issue??
Ashwin kumar (http://ashwinkumar.me) On 8 Jun 2013 07:50, "Ashwin Kumar" ashwinkumark10@gmail.com wrote:
Hello all, I have written a sample code to connect to LDAP server via SSL running on port 10389(ldap) & 10636(ldaps). But the sample application fails to set the options for the SSL connection. I do not want to verify the certificate correctness at this moment. Can someone help fix this sample code??
#include <stdio.h> #define LDAP_DEPRECATED 1 #include <ldap.h>
#define BIND_DN "dc=example,dc=com" #define BIND_PW "secret"
int main() { LDAP *ld; int rc; int reqcert = LDAP_OPT_X_TLS_NEVER; int version = LDAP_VERSION3; int ret(0);
if (ldap_initialize (&ld, "ldap://192.168.1.51:10389")) { perror("ldap_init"); /* no error here */ return(1); } rc = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_PROTOCOL_VERSION failed: %s\n",ldap_err2string(rc)); }
rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: %s\n",ldap_err2string(rc)); }
rc = ldap_start_tls_s(ld, NULL, NULL); if (rc != LDAP_SUCCESS) { printf("ldap_start_tls failed: %s\n",ldap_err2string(rc)); } rc = ldap_bind_s(ld, BIND_DN, BIND_PW, LDAP_AUTH_SIMPLE); if( rc != LDAP_SUCCESS ) { fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) ); return( 1 ); } ldap_unbind(ld);}
The program always fails with: *Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server* *ldap_start_tls failed: Not Supported*
The server does support ldaps and ldap+tls. Can some one please help??
Ashwin kumar (http://ashwinkumar.me)
On 06/08/13 07:50 +0530, Ashwin Kumar wrote:
Hello all, I have written a sample code to connect to LDAP server via SSL running on port 10389(ldap) & 10636(ldaps). But the sample application fails to set the options for the SSL connection. I do not want to verify the certificate correctness at this moment. Can someone help fix this sample code??
#include <stdio.h> #define LDAP_DEPRECATED 1 #include <ldap.h>
#define BIND_DN "dc=example,dc=com" #define BIND_PW "secret"
int main() { LDAP *ld; int rc; int reqcert = LDAP_OPT_X_TLS_NEVER; int version = LDAP_VERSION3; int ret(0);
if (ldap_initialize (&ld, "ldap://192.168.1.51:10389")) { perror("ldap_init"); /* no error here */ return(1); } rc = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_PROTOCOL_VERSION failed: %s\n",ldap_err2string(rc)); }
rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: %s\n",ldap_err2string(rc)); }
rc = ldap_start_tls_s(ld, NULL, NULL); if (rc != LDAP_SUCCESS) { printf("ldap_start_tls failed: %s\n",ldap_err2string(rc)); }
rc = ldap_bind_s(ld, BIND_DN, BIND_PW, LDAP_AUTH_SIMPLE);
if( rc != LDAP_SUCCESS ) { fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) ); return( 1 ); } ldap_unbind(ld); }
The program always fails with: *Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server* *ldap_start_tls failed: Not Supported*
The server does support ldaps and ldap+tls. Can some one please help??
Can you connect to the server using any of the OpenLDAP client utilities (e.g. ldapwhoami) using -Z? start_tls cannot be executed against an ldaps:// URI, to my knowledge.
What options are you starting your server with, assuming that it's an OpenLDAP server?
On Mon, Jun 10, 2013 at 7:18 PM, Dan White dwhite@olp.net wrote:
Can you connect to the server using any of the OpenLDAP client utilities (e.g. ldapwhoami) using -Z? start_tls cannot be executed against an ldaps:// URI, to my knowledge.
Yes, I am able to use ldapsearch and ldapadd. It works fine.
I am not trying to execute start_tls on ldaps://. I know they work entirely different.
On a non encrypted port I am trying to set up encryption calling start_tls. But does not work. The library is compiled with --with-tls option.
The server supports both encryption (ldaps:// and ldap://+tls) and no encryption.
-- Ashwin kumar (http://ashwinkumar.me)
On Mon, 10 Jun 2013, Dan White wrote:
On 06/08/13 07:50 +0530, Ashwin Kumar wrote:
...
rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: %s\n",ldap_err2string(rc));
If ldap_set_option() returns LDAP_OPT_ERROR then you shouldn't call ldap_err2string(): the latter can't give a correct error strings for that case because (currently) LDAP_OPT_ERROR == LDAP_SERVER_DOWN. Indeed, as you saw:
The program always fails with: *Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server*
That means ldap_set_option() is returning LDAP_OPT_ERROR.
My *guess* is that you're using libldap from an old version of OpenLDAP, like 2.3.x, as those versions only supported LDAP_OPT_X_TLS_REQUIRE_CERT pas a global option and not as a per-handle option.
If that's the case, you should obviously upgrade. If you can't upgrade Right Now, then put it on your roadmap for Real Soon Dang It and try changing this: rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); to this: rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
And note, this is *exactly* why you should always say what version you're using!
Philip Guenther
Thanks for the reply. I am using OpenLDAP 2.4.35.
-- Ashwin kumar (http://ashwinkumar.me)
On Mon, Jun 10, 2013 at 9:42 PM, Philip Guenther < guenther+ldaptech@sendmail.com> wrote:
On Mon, 10 Jun 2013, Dan White wrote:
On 06/08/13 07:50 +0530, Ashwin Kumar wrote:
...
rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); if(rc != LDAP_OPT_SUCCESS){ printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: %s\n",ldap_err2string(rc));
If ldap_set_option() returns LDAP_OPT_ERROR then you shouldn't call ldap_err2string(): the latter can't give a correct error strings for that case because (currently) LDAP_OPT_ERROR == LDAP_SERVER_DOWN. Indeed, as you saw:
The program always fails with: *Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server*
That means ldap_set_option() is returning LDAP_OPT_ERROR.
My *guess* is that you're using libldap from an old version of OpenLDAP, like 2.3.x, as those versions only supported LDAP_OPT_X_TLS_REQUIRE_CERT pas a global option and not as a per-handle option.
If that's the case, you should obviously upgrade. If you can't upgrade Right Now, then put it on your roadmap for Real Soon Dang It and try changing this: rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); to this: rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
And note, this is *exactly* why you should always say what version you're using!
Philip Guenther
openldap-technical@openldap.org
-
Ashwin Kumar -
Dan White -
Philip Guenther