[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: reg ldap over ssl

i used ldap_initialize and tried initializing the connection using the CA certificate.
i still am getting the same error.

the following is the code tat i compiled.. can anyone tell me where i am going wrong in the piece of code.
I am able to connect to the ldap server using jxplorer on port 636

#include "ldap.h"
    int returncode;
    char *host="";
    int port = 636;
    const char *user = "uid=administrator,dc=prasanth,dc=com";
    const char *passwd = "notallowed";
    LDAPMessage *result;
    char *base = "DC=prasanth,DC=com";
    LDAP *handle;

// initialize the handle

        printf("LDAP initialization failed  %d   %s\n",returncode,ldap_err2string(returncode));
        printf("LDAP initialization successful\n");

//set the options for SSL certificate connection

    int ldap_version = LDAP_VERSION3;
        printf("error while setting ldap version\n");

        printf("error disabling referrals\n");

    int sslmode = LDAP_OPT_X_TLS_HARD ;
        printf("error setting tls option to hard\n");

    int cert = LDAP_OPT_X_TLS_DEMAND;
        printf("error setting require cert option\n");

        printf("error setting CA certificate\n");
        printf("TLS START FAILED\n");
    printf("%d %s\n",returncode,ldap_err2string(returncode));

On Wed, Jul 2, 2008 at 12:52 AM, Philip Guenther <guenther+ldapsoft@sendmail.com> wrote:
On Tue, 1 Jul 2008, prasanth allada wrote:
i am trying to start an ldap connection over SSL

my code goes like this.


when i call the ldap_start_tls_s() i get an error saying tat it cant contact the ldap server.

Right, because ldap_start_tls_s() performs the LDAP start TLS operation, but for ldaps the client is supposed to simply negotiate TLS/SSL upon connection, without sending an LDAP operation first.

The Right Thing is to stop using ldap_init() and instead use ldap_initialize(), passing it an URI of "ldaps://hostname".

(Note that it'll automatically use port 636 when the URI schema is "ldaps", just as it'll automatically use port 389 when the schema is "ldap".)

i have the CA certificate and the server certificate.
Can you tell me which certificate should i use in the code.

The client only needs the CA certificate.  Set the LDAP_OPT_X_TLS_CACERTFILE option to the path to the PEM file, or set the LDAP_OPT_X_TLS_CACERTDIR option to a directory holding the PEM file with hashed paths.  (Check out the docs for SSL_CTX_load_verify_locations() for the details of the hashing.)

Note that in versions before 2.4.0, those are *global* options: ldap_set_option() *must* be passed a NULL LDAP handle when setting them. As of 2.4.0 they're per-LDAP-handle only and must be set on each handle you create.

Philip Guenther