4:34 a.m.
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the
server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in the url
scheme (ldaps://fqdn_of_ldap_server:636).
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN ->
LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT ->
LDAP_OPT_X_TLS_DEMAND
LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server
LDAP_OPT_X_TLS_CONNECT_CB ->
my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client
certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the
.pem file) but nothing. Also, I saw that this parameter was not taken into account - it
looks like ssl_ctx object used for ssl_connect does not include path to the file (like two
global structures used for setting up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar
6:44 a.m.
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate
to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in
the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In
particular, you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN ->
LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT ->
LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG ->
fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB ->
my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send
client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the
abs path to the .pem file) but nothing. Also, I saw that this parameter was
not taken into account - it looks like ssl_ctx object used for ssl_connect
does not include path to the file (like two global structures used for setting
up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1:43 a.m.
Hi Howard,
You proposed to set option for certificate file and key file before connection is
established. I already did this. Issue that I found is "some" mismatch between
global structure (initiated in ldap_initialize function, or, precisely it is getopts found
in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is
member of LDAP (precisely, ld_options is member of ldap_common, which is the member of
ldap structure).
So, ld_options will contain all data that are set by set_options function. Unfortunately,
deep in the call stack:
tlso_init() Line 148 C
tls_init(tls_impl * impl=0x08bfe650) Line 168 C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc *
srv=0x0b935c08) Line 829 C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc
* srv=0x0b935c08, int async=0) Line 448 C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int
use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line
487 C
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char *
dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char *
mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000,
ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT()
which does not contain values set by set_option.
Any clue here?
Please consider the environment before printing this email
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic(a)pstech.rs>;
openldap-technical(a)openldap.org
Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client
certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing
ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular,
you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN ->
LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT ->
LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG ->
fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB ->
my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to
send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE
(sending the abs path to the .pem file) but nothing. Also, I saw that
this parameter was not taken into account - it looks like ssl_ctx
object used for ssl_connect does not include path to the file (like
two global structures used for setting up ctx know nothing about each
other.)
Can you, help me with this?
Regards,
Aleksandar
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:14 a.m.
Hi Howard,
Is there any way discard sending private key (or keeping it in the file) on the file
system. Can you explain why is private key needed for certificate based authentication?
Regards,
Aleksandar
Please consider the environment before printing this email
-----Original Message-----
From: Aleksandar Karalejić
Sent: Tuesday, January 26, 2016 10:43 AM
To: 'Howard Chu' <hyc(a)symas.com>; openldap-technical(a)openldap.org
Subject: RE: simple question
Hi Howard,
You proposed to set option for certificate file and key file before connection is
established. I already did this. Issue that I found is "some" mismatch between
global structure (initiated in ldap_initialize function, or, precisely it is getopts found
in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is
member of LDAP (precisely, ld_options is member of ldap_common, which is the member of
ldap structure).
So, ld_options will contain all data that are set by set_options function. Unfortunately,
deep in the call stack:
tlso_init() Line 148 C
tls_init(tls_impl * impl=0x08bfe650) Line 168 C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc *
srv=0x0b935c08) Line 829 C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc
* srv=0x0b935c08, int async=0) Line 448 C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int
use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line
487 C
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char *
dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char *
mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000,
ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT()
which does not contain values set by set_option.
Any clue here?
Please consider the environment before printing this email -----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic(a)pstech.rs>;
openldap-technical(a)openldap.org
Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client
certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing
ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular,
you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN ->
LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT ->
LDAP_OPT_X_TLS_DEMAND
This is already the default.
LDAP_OPT_X_TLS_CONNECT_ARG ->
fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
LDAP_OPT_X_TLS_CONNECT_CB ->
my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to
send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE
(sending the abs path to the .pem file) but nothing. Also, I saw that
this parameter was not taken into account - it looks like ssl_ctx
object used for ssl_connect does not include path to the file (like
two global structures used for setting up ctx know nothing about each
other.)
Can you, help me with this?
Regards,
Aleksandar
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:09 p.m.
Aleksandar Karalejić wrote:
Hi Howard,
Is there any way discard sending private key (or keeping it in the file) on
the file system.
The private key is not sent anywhere.
Can you explain why is private key needed for certificate
based authentication?
Read up on how public-key cryptography works. That is not anything specific to
OpenLDAP.
The private key is required to prove that you are the owner of the certificate
being used.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2795
days inactive
2798
days old
openldap-technical@openldap.org
4 comments
2 participants
participants (2)
-
Aleksandar Karalejić -
Howard Chu