Is there any way discard sending private key (or keeping it in the file) on the file
system. Can you explain why is private key needed for certificate based authentication?
Please consider the environment before printing this email
From: Aleksandar Karalejić
Sent: Tuesday, January 26, 2016 10:43 AM
To: 'Howard Chu' <hyc(a)symas.com>; openldap-technical(a)openldap.org
Subject: RE: simple question
You proposed to set option for certificate file and key file before connection is
established. I already did this. Issue that I found is "some" mismatch between
global structure (initiated in ldap_initialize function, or, precisely it is getopts found
in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is
member of LDAP (precisely, ld_options is member of ldap_common, which is the member of
So, ld_options will contain all data that are set by set_options function. Unfortunately,
deep in the call stack:
tlso_init() Line 148 C
tls_init(tls_impl * impl=0x08bfe650) Line 168 C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc *
srv=0x0b935c08) Line 829 C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc
* srv=0x0b935c08, int async=0) Line 448 C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int
use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char *
dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char *
mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000,
ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT()
which does not contain values set by set_option.
Any clue here?
Please consider the environment before printing this email -----Original Message-----
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic(a)pstech.rs>;
Subject: Re: simple question
Aleksandar Karalejić wrote:
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client
certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing
ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular,
you must set your certificate file and key file in advance.
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
This is already the default.
This is unnecessary, the server name will be parsed from the URL.
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to
send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE
(sending the abs path to the .pem file) but nothing. Also, I saw that
this parameter was not taken into account - it looks like ssl_ctx
object used for ssl_connect does not include path to the file (like
two global structures used for setting up ctx know nothing about each
Can you, help me with this?
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/