Little update...i managed to get it to work :-) It looks like it was the option "LDAP_OPT_X_TLS_ALLOW" i have to set. Unfortunately i did it on the wrong position in my code. Now this option is the first thing i do, even prior the initialization. Nevertheless "LDAP_START_TLS_S" returns 3 errors: 1.unable to get local issuer certificate, 2. certificate not trusted, 3.unable to verify the first certificate. I think the 2nd and 3rd appear because the server uses a self signed certificate? One question i still have on my mind. I am only able to compile my client by including the library "sasl2" although i am not using "ldap_sals_bind" or anything like that. Is it possible expel sasl from my program or do i have to use that library?
Regards Martin DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company.
Thank You.
On 11/16/12 09:45 +0100, Martin.Heinzmann@belden.com wrote:
Now i want the connection to be secure by executing a "Simple TLS handshake ". I changed my hostname variable to "ldaps://ip:636" and tried "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact ldap server" error. I think my active directory is configured the right way because with JXplorer it works over ssl and port 636.
'ldaps://ip:636' or 'ldap://ip' with start_tls is almost certainly wrong. You should be using 'ldap[s]://hostname'.
On 11/19/12 11:18 +0100, Martin.Heinzmann@belden.com wrote:
thank you, thats some good advice. So i will try now with "ldap://..." and ldap_start_tls_s. Unfortunately now i get the error "Connect error" from ldap_start_tls_s.
I set the option "LDAP_OPT_X_TLS_ALLOW" but that changes nothing. Since i am using my own client i don't have any ldaprc or ldap.conf files....maybe i have to set some options in my client to tell it to use simple tls handshake?
See ldap.conf(5). If creating an ldaprc or ldap.conf is not appropriate, you could use environment variables instead.
Wireshark shows me that the client sends a "extendedReq(1) LDAP_START_TLS_OID" package to which the server answeres. Then the "Client hello" and "Server hello" with the servers certificate appears. After that the client sends a "Alert (Level: Fatal, Description: Unkown CA) package. Short after that the server resets the connection.
I enabled debugging with the option "LDAP_OPT_DEBUG_LEVEL" and now i see a message, that the client is expexting a local issuer certificate which it can't find. Is there a way to tell the client that he won't get an own certificate?
The client must trust the certificate, or the issuer (signer) of the certificate. Configure TLS_CACERT/TLS_CACERTDIR.
On 11/19/12 11:53 +0100, Martin.Heinzmann@belden.com wrote:
Little update...i managed to get it to work :-)
It looks like it was the option "LDAP_OPT_X_TLS_ALLOW" i have to set. Unfortunately i did it on the wrong position in my code. Now this option is the first thing i do, even prior the initialization.
Nevertheless "LDAP_START_TLS_S" returns 3 errors: 1.unable to get local issuer certificate, 2. certificate not trusted, 3.unable to verify the first certificate. I think the 2nd and 3rd appear because the server uses a self signed certificate?
These are probably errors generated by the ssl library you have compile libldap against. Searching for them at google should get some useful hits.
You might find some useful information within an overview of TLS, such as Wikipedia.
One question i still have on my mind. I am only able to compile my client by including the library "sasl2" although i am not using "ldap_sals_bind" or anything like that. Is it possible expel sasl from my program or do i have to use that library?
Could you expound on this? What error are you getting? Did you do a '--with-cyrus-sasl=no' when compiling your libldap libraries?
One question i still have on my mind. I am only able to compile my client by including the library "sasl2" although i am not using "ldap_sals_bind" or anything like that. Is it possible expel sasl from my program or do i have to use that library?
Could you expound on this? What error are you getting? Did you do a '--with-cyrus-sasl=no' when compiling your libldap libraries?
Dan White
'--with-cyrus-sasl=no' did it, thanks. Thought i did the configure with '--with-cyrus-sasl=no' last week once and it did not work then (still had to include sasl). Looks like i did something wrong then. Now everything works fine :-) Thank you all a lot for the help.
Regards Martin DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company.
Thank You.
openldap-technical@openldap.org
-
Dan White -
Martin.Heinzmann@belden.com