[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: simple question

Hi Howard,

You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure). 
So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:

tlso_init() Line 148	C
tls_init(tls_impl * impl=0x08bfe650) Line 168	C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829	C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448	C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487	C
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42	C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130	C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line

when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option. 
Any clue here?

Please consider the environment before printing this email
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic@pstech.rs>; openldap-technical@openldap.org
Subject: Re: simple question

Aleksandar Karalejić wrote:
> Hi OpenLDAP team,
> I have a question, simple I hope, for you - I need to send client 
> certificate to the server openldap server (by using openldap api and openSSL).
> For completing this job, first I initalized ldap with url containing 
> ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).

You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
> I have set
> LDAP_OPT_PROTOCOL_VERSION                            ->            LDAP_VERSION3
> LDAP_OPT_X_TLS_PROTOCOL_MIN                       ->
> LDAP_OPT_X_TLS_REQUIRE_CERT                          ->

This is already the default.
> LDAP_OPT_X_TLS_CONNECT_ARG                         ->
> fqdn_of_ldap_server

This is unnecessary, the server name will be parsed from the URL.

> LDAP_OPT_X_TLS_CONNECT_CB                             ->
> my_tsl_verify_callback
> and then I called ldap_sasl_bind:
> ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
> What I saw is that certficate from the server was received, but how to 
> send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE 
> (sending the abs path to the .pem file) but nothing. Also, I saw that 
> this parameter was not taken into account - it looks like ssl_ctx 
> object used for ssl_connect does not include path to the file (like 
> two global structures used for setting up ctx know nothing about each 
> other.)
> Can you, help me with this?
> Regards,
> Aleksandar

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/