[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP-Client TLS

On 11/16/12 09:45 +0100, Martin.Heinzmann@belden.com wrote:
Now i want the connection to be secure by executing a "Simple TLS handshake
". I changed my hostname variable to "ldaps://ip:636" and tried
"ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact
ldap server" error. I think my active directory is configured the right way
because with JXplorer it works over ssl and port 636.

'ldaps://ip:636' or 'ldap://ip' with start_tls is almost certainly wrong. You should be using 'ldap[s]://hostname'.

On 11/19/12 11:18 +0100, Martin.Heinzmann@belden.com wrote:
thank you, thats some good advice. So i will try now with "ldap://..."; and
ldap_start_tls_s. Unfortunately now i get the error "Connect error" from

I set the option "LDAP_OPT_X_TLS_ALLOW" but that changes nothing.  Since i
am using my own client i don't have any ldaprc or ldap.conf files....maybe
i have to set some options in my client to tell it to use simple tls

See ldap.conf(5). If creating an ldaprc or ldap.conf is not appropriate,
you could use environment variables instead.
Wireshark shows me that the client sends a "extendedReq(1)
LDAP_START_TLS_OID" package to which the server answeres. Then the "Client
hello" and "Server hello" with the servers certificate appears. After that
the client sends a "Alert (Level: Fatal, Description: Unkown CA) package.
Short after that the server resets the connection.

I enabled debugging with the option "LDAP_OPT_DEBUG_LEVEL" and now i see a
message, that the client is expexting a local issuer certificate which it
can't find. Is there a way to tell the client that he won't get an own

The client must trust the certificate, or the issuer (signer) of the
certificate. Configure TLS_CACERT/TLS_CACERTDIR.

On 11/19/12 11:53 +0100, Martin.Heinzmann@belden.com wrote:
Little update...i managed to get it to work :-)

It looks like it was the option "LDAP_OPT_X_TLS_ALLOW" i have to set.
Unfortunately i did it on the wrong position in my code. Now this option
is the first thing i do, even prior the initialization.

Nevertheless "LDAP_START_TLS_S" returns 3 errors: 1.unable to get local
issuer certificate, 2. certificate not trusted, 3.unable to verify the
first certificate. I think the 2nd and 3rd appear because the server uses
a self signed certificate?

These are probably errors generated by the ssl library you have compile
libldap against. Searching for them at google should get some useful hits.

You might find some useful information within an overview of TLS, such as

One question i still have on my mind. I am only able to compile my client
by including the library "sasl2" although i am not using "ldap_sals_bind"
or anything like that. Is it possible expel sasl from my program or do i
have to use that library?

Could you expound on this? What error are you getting? Did you
do a '--with-cyrus-sasl=no' when compiling your libldap libraries?

Dan White