[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection

To: Qiang Xu <qixu@lexmark.com>
Subject: Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 29 Feb 2012 00:23:54 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <CAACU1m6fL_OEtxG_E9cQHrDeC-KODyFx5fzYK5xgMwKOksg+DQ@mail.gmail.com>
References: <CAACU1m6fL_OEtxG_E9cQHrDeC-KODyFx5fzYK5xgMwKOksg+DQ@mail.gmail.com>
User-agent: Roundcube Webmail/0.4.2

On Tue, 28 Feb 2012 16:40:23 -0500, Qiang Xu <qixu@lexmark.com> wrote:

Hello All,

Today I came across a strange problem.

I wrote a program to test ldap ssl/tls connection with OpenLDAP
library. Something like the code snippet as follows:
(...)
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
... // bind to the server

The first binding is successful, as expected. However, the second
binding is also successful, which is contrary to my expectation,
because I didn't create any cert file yet.


Possibly the answer lies in the code you did not show:
Create an LDAP* (with which url/host?), connect, bind, unbind.

Another observation here is that if the first binding with
LDAP_OPT_X_TLS_NEVER is removed, and the second binding with
LDAP_OPT_X_TLS_DEMAND set is done right from the beginning, then it
will fail, as expected.


Do you use the same LDAP* connection for both "bindings"?
Its options are set when it is initialized.
Try to unbind and then create a new LDAP*.
--
Hallvard

Follow-Ups:
- Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
  - From: Qiang Xu <qixu@lexmark.com>

References:
- LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
  - From: Qiang Xu <qixu@lexmark.com>

Prev by Date: cert options in ssl/tls connections
Next by Date: Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
Index(es):
- Chronological
- Thread