Re: A LDAPS related issue

[Ralf Haferkamp <rhafer@suse.de>]

On Tuesday 21 September 2010 03:17:48 ctosgh wrote:
> Seems nobody run into this issue??
> 
> 
> 
> At 2010-09-20 10:02:10，ctosgh <ctosgh@126.com> wrote:
> 
> Hi, folks
> 
> I am using the APIs from openldap and recently run into a problem
> which upset me.  Following is the framework of the function.
> ldaps_func()
> {
>    LDAP* ld = NULL;
>    char * uri ="ldaps://xxx.xxx.xxx:636";
>    .....
>    ldap_set_option(...);   //using LDAP v3
>    ldap_set_option(...);   // set LDAP_OPT_X_TLS_REQUIRE_CERT to deman
>    ldap_set_option(...);   // set LDAP_OPT_X_TLS_CACERTDIR to/tmp/ldapsCA/
If you really want the TLS context recreated with each iteration I 
think you can just call:
ldap_set_option( NULL, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
after the above calls.

>    ldap_initialize(&ld, uri);
>    .....
>    ldap_simple_bind(.....);
>    ldap_search_ext(...);
>    ......
>    ldap_unbind(ld);
>    .....
>    return 0;
> }
> Above function is called in a while loop to authenticate users to a
> LDAPS server when authentication request comes up.  This function
> works fine. BUT after one successful authentication, if I delete CA
> certificates of server's certificate under /tmp/ldapsCA/, subsequent
> authentications will STILL succeed. If restart this daemon, no
> authentication will succeed, because CA certificates under
> /tmp/ldapsCA/ has been deleted. Why I delete CA certificates under
> /tmp/ldapsCA/? I just want to simulate "certificate change". Is the
> openssl library cache someting??
> 
> Any one has any ideas about this? I will really appreciate it.

Ralf