[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: simple question
Hi Howard,
You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure).
So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:
tlso_init() Line 148 C
tls_init(tls_impl * impl=0x08bfe650) Line 168 C
ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829 C
ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448 C
ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487 C
ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C
ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C
ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line
when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option.
Any clue here?
Please consider the environment before printing this email
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, January 25, 2016 3:45 PM
To: Aleksandar Karalejić <aleksandar.karalejic@pstech.rs>; openldap-technical@openldap.org
Subject: Re: simple question
Aleksandar Karalejić wrote:
> Hi OpenLDAP team,
>
> I have a question, simple I hope, for you - I need to send client
> certificate to the server openldap server (by using openldap api and openSSL).
>
> For completing this job, first I initalized ldap with url containing
> ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance.
>
> I have set
>
> LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
>
> LDAP_OPT_X_TLS_PROTOCOL_MIN ->
> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
>
> LDAP_OPT_X_TLS_REQUIRE_CERT ->
> LDAP_OPT_X_TLS_DEMAND
This is already the default.
>
> LDAP_OPT_X_TLS_CONNECT_ARG ->
> fqdn_of_ldap_server
This is unnecessary, the server name will be parsed from the URL.
> LDAP_OPT_X_TLS_CONNECT_CB ->
> my_tsl_verify_callback
>
> and then I called ldap_sasl_bind:
>
> ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
>
> What I saw is that certficate from the server was received, but how to
> send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE
> (sending the abs path to the .pem file) but nothing. Also, I saw that
> this parameter was not taken into account - it looks like ssl_ctx
> object used for ssl_connect does not include path to the file (like
> two global structures used for setting up ctx know nothing about each
> other.)
>
> Can you, help me with this?
>
> Regards,
>
> Aleksandar
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/