[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_start_tls_s and automatic CA certificate searching



Roberto Aguilar writes:
> Using strace I noticed that the ldapsearch command is able to find the
> appropriate CA certificate for the server I'm connecting to in my
> /etc/ssl/certs directory even if the TLS_CACERT setting in ldap.conf
> points to a different certificate.

And you are inspecting the right ldap.conf?  On Linux /etc/ldap.conf is
for PAM/NSS and /etc/(open)ldap/ldap.conf is for OpenLDAP programs.

> In my program, however, I receive error 91, which is a Connect error.

That's a pretty old OpenLDAP.  client-side errors like Connect error
became negative in OpenLDAP 2.2.

Anyway...

Do you spell the server hostname the same way in your program and in
ldapsearch?  If your server certificate is for host foo.example.com,
connecting to "foo" or "localhost" instead of "foo.example.com" gives
a connect error since the hostnames differ.

If you've installed your own OpenLDAP, are you sure ldapsearch and your
program are from the same installation (and use the same libldap)?
Maybe one is from the system installation and the other from yours.
For dynamically loaded libraries, 'ldd <executable>' will tell.

> Setting TLS_CACERT to the server's CA certificate allows the
> connection to go through, but that is not feasible as I need to
> connect to servers with different CAs.
>
> I tried looking through ldapsearch.c to find the secret sauce to get
> this to work, but was not successful.  Can someone point me in the
> right direction.

libldap handles it for ldapsearch.  If you mean you want to set the
CA cert by hand in the program, use
 rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "<CA cert filename>");

-- 
Regards,
Hallvard