12:45 a.m.
Hi,
i am trying to write my own client which connects to an active directory
and searches for an user. So far it works, i call "ldap_initialize", set
version 3, "ldap_simple_bind_s" and then search the directory.
Now i want the connection to be secure by executing a "Simple TLS handshake
". I changed my hostname variable to "ldaps://ip:636" and tried
"ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact
ldap server" error. I think my active directory is configured the right way
because with JXplorer it works over ssl and port 636.
Does anyone know which functions i have to call so a successful tls
connection will be set up?
Regards
Martin
DISCLAIMER:
Privileged and/or Confidential information may be contained in this
message. If you are not the addressee of this message, you may not
copy, use or deliver this message to anyone. In such event, you
should destroy the message and kindly notify the sender by reply
e-mail. It is understood that opinions or conclusions that do not
relate to the official business of the company are neither given
nor endorsed by the company.
Thank You.
5:21 a.m.
On Fri, Nov 16, 2012 at 09:45:10AM +0100, Martin.Heinzmann(a)belden.com wrote:
Hi,
i am trying to write my own client which connects to an active directory
and searches for an user. So far it works, i call "ldap_initialize", set
version 3, "ldap_simple_bind_s" and then search the directory.
Now i want the connection to be secure by executing a "Simple TLS handshake
". I changed my hostname variable to "ldaps://ip:636" and tried
"ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact
ldap server" error.
When using ldaps:// libldap will perform the TLS Handshake
automatically before
sending the first LDAP request to the server. So calling ldap_start_tls_s() on
a ldaps:// connection is wrong and results in the above error.
ldap_start_tls_s is for initiating the TLS Handshake on a "normal" ldap://
connection.
See http://www.openldap.org/faq/data/cache/605.html for details.
I think my active directory is configured the right way
because with JXplorer it works over ssl and port 636.
Does anyone know which functions i have to call so a successful tls
connection will be set up?
If really want to use ldaps:// then specifying the
ldaps:// URI in
ldap_initialize should be enough. Otherwise use a "ldap://" URI +
ldap_start_tls_s
Ralf
2:18 a.m.
New subject: Antwort: Re: OpenLDAP-Client TLS
> Hi,
> i am trying to write my own client which connects to an active directory
> and searches for an user. So far it works, i call "ldap_initialize", set
> version 3, "ldap_simple_bind_s" and then search the directory.
> Now i want the connection to be secure by executing a "Simple TLS
handshake
> ". I changed my hostname variable to
"ldaps://ip:636" and tried
> "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant
contact
> ldap server" error.
When using ldaps:// libldap will perform the TLS Handshake automatically
before
sending the first LDAP request to the server. So calling
ldap_start_tls_s
() on
a ldaps:// connection is wrong and results in the above error.
ldap_start_tls_s is for initiating the TLS Handshake on a "normal" ldap://
connection.
See http://www.openldap.org/faq/data/cache/605.html for details.
> I think my active directory is configured the right way
> because with JXplorer it works over ssl and port 636.
>
> Does anyone know which functions i have to call so a successful tls
> connection will be set up?
If really want to use ldaps:// then specifying the ldaps:// URI in
ldap_initialize should be enough. Otherwise use a "ldap://" URI +
ldap_start_tls_s
Ralf
Hi,
thank you, thats some good advice. So i will try now with "ldap://..." and
ldap_start_tls_s. Unfortunately now i get the error "Connect error" from
ldap_start_tls_s.
I set the option "LDAP_OPT_X_TLS_ALLOW" but that changes nothing.
Since i am using my own client i don't have any ldaprc or ldap.conf
files....maybe i have to set some options in my client to tell it to use
simple tls handshake?
Wireshark shows me that the client sends a "extendedReq(1)
LDAP_START_TLS_OID" package to which the server answeres. Then the "Client
hello" and "Server hello" with the servers certificate appears. After that
the client sends a "Alert (Level: Fatal, Description: Unkown CA) package.
Short after that the server resets the connection.
I enabled debugging with the option "LDAP_OPT_DEBUG_LEVEL" and now i see a
message, that the client is expexting a local issuer certificate which it
can't find. Is there a way to tell the client that he won't get an own
certificate?
Regards Martin
DISCLAIMER:
Privileged and/or Confidential information may be contained in this
message. If you are not the addressee of this message, you may not
copy, use or deliver this message to anyone. In such event, you
should destroy the message and kindly notify the sender by reply
e-mail. It is understood that opinions or conclusions that do not
relate to the official business of the company are neither given
nor endorsed by the company.
Thank You.
5:38 a.m.
On 2012.11.16 03.45, Martin.Heinzmann(a)belden.com wrote:
Hi,
i am trying to write my own client which connects to an active directory
and searches for an user. So far it works, i call "ldap_initialize", set
version 3, "ldap_simple_bind_s" and then search the directory.
Now i want the connection to be secure by executing a "Simple TLS
handshake". I changed my hostname variable to "ldaps://ip:636" and tried
"ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact
ldap server" error. I think my active directory is configured the right
way because with JXplorer it works over ssl and port 636.
Does anyone know which functions i have to call so a successful tls
connection will be set up?
i know very little about libldap and its routines, but i do know that
ldaps is not starttls, and starttls is not 636.
man 3 ldap_start_tls_s seems to specifically indicate that routine is
strictly for starttls, not ldaps. that would mean that you should be
connecting to the regular ldap port [389] - e.g. "ldap://hostname/", and
then using ldap_start_tls_s. that wouldn't work with ldaps/636 [and
ldaps is deprecated anyway].
-ben
4033
days inactive
4036
days old
openldap-technical@openldap.org
3 comments
3 participants
participants (3)
-
btb -
Martin.Heinzmann@belden.com -
Ralf Haferkamp