Divyanshi Chauhan divyachauhan01.dc@gmail.com 1:33 PM (3 hours ago) to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner
Hello,
I have an ldaps client code which connects to the ldap server securely and does authentication.
I have set the global option for ca cert directory. int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE, const_cast<char*>("path")); Correct certificate is present in the path and hence connection to the ldap server and authentication is successful in first attempt.
Now, as per one of the requirements, the certificate is removed from the above client directory and authentication is attempted, we want it to fail as the certificate is deleted from the directory. But still the bind to ldap server and authentication is happening successfully. It should ideally fail as per my understanding.
I did try removing the certificate from memory using following option: char * crt; ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt); ldap_memfree(crt); I am not sure if the above way is correct or not, please advise.
I also did try forcing to look for ca certificate using following option: int reqcert = LDAP_OPT_X_TLS_HARD; ldap_set_option(0, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); But this also did not help.
Please suggest how a certificate, which is once loaded can be deleted from the openldap cache. Also please advise if I am doing something wrong in the above approach.
divyachauhan01.dc@gmail.com wrote:
Divyanshi Chauhan divyachauhan01.dc@gmail.com 1:33 PM (3 hours ago) to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner
Hello,
I have an ldaps client code which connects to the ldap server securely and does authentication.
I have set the global option for ca cert directory. int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE, const_cast<char*>("path")); Correct certificate is present in the path and hence connection to the ldap server and authentication is successful in first attempt.
Now, as per one of the requirements, the certificate is removed from the above client directory and authentication is attempted, we want it to fail as the certificate is deleted from the directory. But still the bind to ldap server and authentication is happening successfully. It should ideally fail as per my understanding.
I did try removing the certificate from memory using following option: char * crt; ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt); ldap_memfree(crt); I am not sure if the above way is correct or not, please advise.
No. Instead you should reinitialize the TLS Context. Use ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, 0);
I also did try forcing to look for ca certificate using following option: int reqcert = LDAP_OPT_X_TLS_HARD; ldap_set_option(0, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); But this also did not help.
Please suggest how a certificate, which is once loaded can be deleted from the openldap cache. Also please advise if I am doing something wrong in the above approach.
Howard Chu wrote:
divyachauhan01.dc@gmail.com wrote:
Divyanshi Chauhan divyachauhan01.dc@gmail.com 1:33 PM (3 hours ago) to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner
Hello,
I have an ldaps client code which connects to the ldap server securely and does authentication.
I have set the global option for ca cert directory. int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE, const_cast<char*>("path")); Correct certificate is present in the path and hence connection to the ldap server and authentication is successful in first attempt.
Now, as per one of the requirements, the certificate is removed from the above client directory and authentication is attempted, we want it to fail as the certificate is deleted from the directory. But still the bind to ldap server and authentication is happening successfully. It should ideally fail as per my understanding.
I did try removing the certificate from memory using following option: char * crt; ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt); ldap_memfree(crt); I am not sure if the above way is correct or not, please advise.
No. Instead you should reinitialize the TLS Context. Use ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, 0);
Correction: int is_server = 0; ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, &is_server);
openldap-technical@openldap.org
-
divyachauhan01.dc@gmail.com -
Howard Chu