> i am trying to write my own client which connects to an active directory
> and searches for an user. So far it works, i call "ldap_initialize", set
> version 3, "ldap_simple_bind_s" and then search the directory.
> Now i want the connection to be secure by executing a "Simple TLS
> ". I changed my hostname variable to
"ldaps://ip:636" and tried
> "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant
> ldap server" error.
When using ldaps:// libldap will perform the TLS Handshake automatically
sending the first LDAP request to the server. So calling
a ldaps:// connection is wrong and results in the above error.
ldap_start_tls_s is for initiating the TLS Handshake on a "normal" ldap://
> I think my active directory is configured the right way
> because with JXplorer it works over ssl and port 636.
> Does anyone know which functions i have to call so a successful tls
> connection will be set up?
If really want to use ldaps:// then specifying the ldaps:// URI in
ldap_initialize should be enough. Otherwise use a "ldap://" URI +
thank you, thats some good advice. So i will try now with "ldap://..." and
ldap_start_tls_s. Unfortunately now i get the error "Connect error" from
I set the option "LDAP_OPT_X_TLS_ALLOW" but that changes nothing.
Since i am using my own client i don't have any ldaprc or ldap.conf
files....maybe i have to set some options in my client to tell it to use
simple tls handshake?
Wireshark shows me that the client sends a "extendedReq(1)
LDAP_START_TLS_OID" package to which the server answeres. Then the "Client
hello" and "Server hello" with the servers certificate appears. After that
the client sends a "Alert (Level: Fatal, Description: Unkown CA) package.
Short after that the server resets the connection.
I enabled debugging with the option "LDAP_OPT_DEBUG_LEVEL" and now i see a
message, that the client is expexting a local issuer certificate which it
can't find. Is there a way to tell the client that he won't get an own
Privileged and/or Confidential information may be contained in this
message. If you are not the addressee of this message, you may not
copy, use or deliver this message to anyone. In such event, you
should destroy the message and kindly notify the sender by reply
e-mail. It is understood that opinions or conclusions that do not
relate to the official business of the company are neither given
nor endorsed by the company.