[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: simple question

Hi Howard,

Is there any way discard sending private key (or keeping it in the file) on the file system. Can you explain why is private key needed for certificate based authentication?


Please consider the environment before printing this email
-----Original Message-----
From: Aleksandar Karalejić 
Sent: Tuesday, January 26, 2016 10:43 AM
To: 'Howard Chu' <hyc@symas.com>; openldap-technical@openldap.org
Subject: RE: simple question

Hi Howard,

You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure). 
So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:

tlso_init() Line 148	C
tls_init(tls_impl * impl=0x08bfe650) Line 168	C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829	C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448	C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487	C
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42	C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130	C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line

when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option. 
Any clue here?

Please consider the environment before printing this email -----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic@pstech.rs>; openldap-technical@openldap.org
Subject: Re: simple question

Aleksandar Karalejić wrote:
> Hi OpenLDAP team,
> I have a question, simple I hope, for you - I need to send client 
> certificate to the server openldap server (by using openldap api and openSSL).
> For completing this job, first I initalized ldap with url containing 
> ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).

You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
> I have set
> LDAP_OPT_PROTOCOL_VERSION                            ->            LDAP_VERSION3
> LDAP_OPT_X_TLS_PROTOCOL_MIN                       ->
> LDAP_OPT_X_TLS_REQUIRE_CERT                          ->

This is already the default.
> LDAP_OPT_X_TLS_CONNECT_ARG                         ->
> fqdn_of_ldap_server

This is unnecessary, the server name will be parsed from the URL.

> LDAP_OPT_X_TLS_CONNECT_CB                             ->
> my_tsl_verify_callback
> and then I called ldap_sasl_bind:
> ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
> What I saw is that certficate from the server was received, but how to 
> send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE 
> (sending the abs path to the .pem file) but nothing. Also, I saw that 
> this parameter was not taken into account - it looks like ssl_ctx 
> object used for ssl_connect does not include path to the file (like 
> two global structures used for setting up ctx know nothing about each
> other.)
> Can you, help me with this?
> Regards,
> Aleksandar

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/