[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unable to bind LDAP server via SSL

To: Ashwin Kumar <ashwinkumark10@gmail.com>
Subject: Re: Unable to bind LDAP server via SSL
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Mon, 10 Jun 2013 09:12:54 -0700
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1370880780; bh=b5xN5XSsw1zGZ1DA7wqrks7NWXG221TFo1z2qYIPWwA=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type:Content-Transfer-Encoding; b=lLpVG2ffdBLy0JZKh8eGoMcrw37ffqYkFB3pmy5zOSH5LhiU/oHuuD7R1LWqfnv7W MktiZgCHhdoTodQWG7OOky+xfYkAQAmMGiEWKWOWSWU6Ueg9DC6SzZq5LN4AO2W9/b HBknPouyE/x5JgHo76gpeGA5SbZdJ0IhctgPG3oc=
In-reply-to: <20130610134812.GC6842@dan.olp.net>
References: <CAN4SqyJinPMbSU5-gWkX2BC+3Lm7XqtEBn33xxpGORRSzpyxag@mail.gmail.com> <20130610134812.GC6842@dan.olp.net>
User-agent: Alpine 2.03 (BSO 1266 2009-07-14)

On Mon, 10 Jun 2013, Dan White wrote:
> On 06/08/13 07:50 +0530, Ashwin Kumar wrote:
...
> >    rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
> > if(rc != LDAP_OPT_SUCCESS){
> > printf("Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed:
> > %s\n",ldap_err2string(rc));

If ldap_set_option() returns LDAP_OPT_ERROR then you shouldn't call 
ldap_err2string(): the latter can't give a correct error strings for that 
case because (currently) LDAP_OPT_ERROR == LDAP_SERVER_DOWN.  Indeed, as 
you saw:

> > The program always fails with:
> > *Setting LDAP_OPT_X_TLS_REQUIRE_CERT failed: Can't contact LDAP server*

That means ldap_set_option() is returning LDAP_OPT_ERROR.

My *guess* is that you're using libldap from an old version of OpenLDAP, 
like 2.3.x, as those versions only supported LDAP_OPT_X_TLS_REQUIRE_CERT 
pas a global option and not as a per-handle option.

If that's the case, you should obviously upgrade.  If you can't upgrade 
Right Now, then put it on your roadmap for Real Soon Dang It and try 
changing this:
	rc = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
to this:
	rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);

And note, this is *exactly* why you should always say what version you're 
using!

Philip Guenther

Follow-Ups:
- Re: Unable to bind LDAP server via SSL
  - From: Ashwin Kumar <ashwinkumark10@gmail.com>

References:
- Unable to bind LDAP server via SSL
  - From: Ashwin Kumar <ashwinkumark10@gmail.com>
- Re: Unable to bind LDAP server via SSL
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Design of assertion control filter
Next by Date: Re: Design of assertion control filter
Index(es):
- Chronological
- Thread