divyachauhan01.dc(a)gmail.com wrote:
Divyanshi Chauhan <divyachauhan01.dc(a)gmail.com>
1:33 PM (3 hours ago)
to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner
Hello,
I have an ldaps client code which connects to the ldap server securely and does
authentication.
I have set the global option for ca cert directory.
int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE,
const_cast<char*>("path"));
Correct certificate is present in the path and hence connection to the ldap server and
authentication is successful in first attempt.
Now, as per one of the requirements, the certificate is removed from the above client
directory and authentication is attempted, we want it to fail as the certificate is
deleted from the directory. But still the bind to ldap server and authentication is
happening successfully. It should ideally fail as per my understanding.
I did try removing the certificate from memory using following option:
char * crt;
ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt);
ldap_memfree(crt);
I am not sure if the above way is correct or not, please advise.
No. Instead you should reinitialize the TLS Context. Use
ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, 0);
I also did try forcing to look for ca certificate using following option:
int reqcert = LDAP_OPT_X_TLS_HARD;
ldap_set_option(0, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
But this also did not help.
Please suggest how a certificate, which is once loaded can be deleted from the openldap
cache. Also please advise if I am doing something wrong in the above approach.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/