Re: OpenLDAP-Client TLS

[Ralf Haferkamp <rhafer@suse.de>]

On Fri, Nov 16, 2012 at 09:45:10AM +0100, Martin.Heinzmann@belden.com wrote:
> 
> 
> Hi,
> i am trying to write my own client which connects to an active directory
> and searches for an user. So far it works, i call "ldap_initialize", set
> version 3, "ldap_simple_bind_s" and then search the directory.
> Now i want the connection to be secure by executing a "Simple TLS handshake
> ". I changed my hostname variable to "ldaps://ip:636" and tried
> "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact
> ldap server" error.
When using ldaps:// libldap will perform the TLS Handshake automatically before
sending the first LDAP request to the server. So calling ldap_start_tls_s() on
a ldaps:// connection is wrong and results in the above error.

ldap_start_tls_s is for initiating the TLS Handshake on a "normal" ldap://
connection.

See http://www.openldap.org/faq/data/cache/605.html for details.

> I think my active directory is configured the right way
> because with JXplorer it works over ssl and port 636.
> 
> Does anyone know which functions i have to call so a successful tls
> connection will be set up?
If really want to use ldaps:// then specifying the ldaps:// URI in
ldap_initialize should be enough. Otherwise use a "ldap://"; URI +
ldap_start_tls_s

Ralf