Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL). For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636). I have set LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3 LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback
and then I called ldap_sasl_bind: ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.) Can you, help me with this?
Regards, Aleksandar
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar
Hi Howard,
You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure). So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:
tlso_init() Line 148 C tls_init(tls_impl * impl=0x08bfe650) Line 168 C ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829 C ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448 C ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487 C ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option. Any clue here?
Please consider the environment before printing this email -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, January 25, 2016 3:45 PM To: Aleksandar Karalejić aleksandar.karalejic@pstech.rs; openldap-technical@openldap.org Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar
Hi Howard,
Is there any way discard sending private key (or keeping it in the file) on the file system. Can you explain why is private key needed for certificate based authentication?
Regards, Aleksandar
Please consider the environment before printing this email -----Original Message----- From: Aleksandar Karalejić Sent: Tuesday, January 26, 2016 10:43 AM To: 'Howard Chu' hyc@symas.com; openldap-technical@openldap.org Subject: RE: simple question
Hi Howard,
You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure). So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:
tlso_init() Line 148 C tls_init(tls_impl * impl=0x08bfe650) Line 168 C ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829 C ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448 C ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487 C ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option. Any clue here?
Please consider the environment before printing this email -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, January 25, 2016 3:45 PM To: Aleksandar Karalejić aleksandar.karalejic@pstech.rs; openldap-technical@openldap.org Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar
Aleksandar Karalejić wrote:
Hi Howard,
Is there any way discard sending private key (or keeping it in the file) on the file system.
The private key is not sent anywhere.
Can you explain why is private key needed for certificate based authentication?
Read up on how public-key cryptography works. That is not anything specific to OpenLDAP.
The private key is required to prove that you are the owner of the certificate being used.
openldap-technical@openldap.org
-
Aleksandar Karalejić -
Howard Chu