[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client App and STARTLS auth

To: Massimiliano Pala <pala@isis.poly.edu>
Subject: Re: Client App and STARTLS auth
From: Rich Megginson <rich.megginson@gmail.com>
Date: Tue, 14 Jun 2011 09:43:19 -0600
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:reply-to:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=V/rGsiWz/jPUaEQm9AD0/6ifjM3/Ho0zQd3vRDmmnfc=; b=dZDld0Hk3AVa7UsKOjSV+ggDY3+HQECVwZnpFBlAYVKp5suvHwzK+VQkjPm/9w4ux5 LUTHxh9yBQhvCr7LvP9E8rlLxtiZvgI+WJSJRQ/wHVb9S8AY/8pNd4elQYDe+XggEx2j cNbMjiVDiLNiT2GvvyZJiy3agcmUkDy7A/XIs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=kGhNUXFiaxyUUv19irCjD0P5obEV2XE2ezyibJoIRWyLXtylUIl2oRfKe6tcFHXLR+ ibsJyB0GQr6x4hxEbA9gff34dx5Xh8RWjLKEc1GB5Ln+DGugCNuLchjE1iI4562AExST A0pp35lwt+D5HTNKK4iBZAY40tNEPNqym1Kto=
In-reply-to: <4DF780DA.8080702@isis.poly.edu>
References: <4DF260A9.9020401@isis.poly.edu> <4DF26AE9.1050407@gmail.com> <4DF27A59.90401@isis.poly.edu> <alpine.BSO.2.00.1106101416460.10556@morgaine.smi.sendmail.com> <4DF2986C.1050000@isis.poly.edu> <BANLkTiko5Jz=J8mi7kBySWDE=pFE-AgF_g@mail.gmail.com> <4DF2EFF5.6000503@isis.poly.edu> <4DF61F16.7030502@gmail.com> <4DF780DA.8080702@isis.poly.edu>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110419 Red Hat/3.1.10-1.el6_0 Lightning/1.0b3pre Thunderbird/3.1.10

On 06/14/2011 09:40 AM, Massimiliano Pala wrote:

Hello Rich,

responses inline..

On 06/13/2011 10:30 AM, Rich Megginson wrote:
[...]

LDAPTLS_REQCERT=never ldapsearch -x -d 1 -ZZ -Hldap://yourhost:yourport -s base -b "" >
output.log 2>&1


I executed the command.. and it worked. I attach the output. Any help on
how can I duplicate this behavior in my application ?

More specifically. When shall I set the option:

  int opt_val = LDAP_OPT_X_TLS_ALLOW;
  ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val)

Possibilities:
- At startup with ld == NULL ?
- Right after ldap_initialize(&ld, url) - i.e. before ldap_start_tls() ?
- Elsewhere ?

I don't know. I suggest taking a look at the source code for ldapsearch- since that works, if you can do what it does, you should be good to go:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=clients/tools/ldapsearch.c;h=494898a762f35f7eb5fe97f2768d25c6579090dd;hb=HEAD
and
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=clients/tools/common.c;h=262631e4cad1ca904c684786ff9fc4d33cdadbe9;hb=HEAD

Last but not least: shall I use ALLOW, TRY, or NEVER as the option forREQUIRE_CERT ?
Cheers,
Max

References:
- Client App and STARTLS auth
  - From: Massimiliano Pala <pala@isis.poly.edu>
- Re: Client App and STARTLS auth
  - From: Rich Megginson <rich.megginson@gmail.com>
- Re: Client App and STARTLS auth
  - From: Massimiliano Pala <pala@isis.poly.edu>
- Re: Client App and STARTLS auth
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>
- Re: Client App and STARTLS auth
  - From: Massimiliano Pala <pala@isis.poly.edu>
- Re: Client App and STARTLS auth
  - From: Massimiliano Pala <pala@isis.poly.edu>
- Re: Client App and STARTLS auth
  - From: Rich Megginson <rich.megginson@gmail.com>
- Re: Client App and STARTLS auth
  - From: Massimiliano Pala <pala@isis.poly.edu>

Prev by Date: Re: Client App and STARTLS auth
Next by Date: Re: Password - Ldap update
Index(es):
- Chronological
- Thread