Login/Register
Unable to bind sample program to LDAP server via SSL (ldaps://)
Asked Answered
Solved c++clinuxldapopenldap
F

2

7

I have a sample program here that is trying to connect to LDAP server on the secured port (ldaps://) However, the sample program is not able to bind to the server. 

#define LDAP_DEPRECATED 1
#include <stdio.h>
#include <ldap.h>

#define BIND_DN "dc=example,dc=com"
#define BIND_PW "secret"

int main() {
    LDAP *ld;
    int rc;
    int reqcert = LDAP_OPT_X_TLS_NEVER;
    int version = LDAP_VERSION3;
    int ret(0);

    if (ldap_initialize (&ld, "ldaps://192.168.1.51:10636")) {
        perror("ldap_init"); /* no error here */
        return(1);
    }

    ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
    ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);

    rc = ldap_bind_s(ld, BIND_DN, BIND_PW, LDAP_AUTH_SIMPLE);

    if( rc != LDAP_SUCCESS )
    {
        fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) );
        return( 1 );
    }
    printf("Initial Authentication successful\n");
    ldap_unbind(ld);
}

However, with START_TLS the sample program successfully binds to LDAP server running on port 10389. ldapsearch client is able to connect to the server ans search the user base tree. But the sample program above does not.

To get it working with START_TLS: Here is what I have added: 

ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);    
rc = ldap_start_tls_s(ld, NULL, NULL);
    if (rc != LDAP_SUCCESS) {
        printf("ldap_start_tls() %s",ldap_err2string(ret));
    }

Can someone point out what I am missing here for binding to LDAP server via ldaps://??

Forecourse answered 6/6, 2013 at 12:35 Comment(1)
I'm not very familiar with C++, but I've seen this exact same error before in C# dealing with LDAPS. The way we fixed this was by always returning a delegate {return true} on the VerifyServerCertificate session option : ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; }; Can you do something similar in C++?Shores
C
1

edit /etc/openldap/ldap.conf, add line:

TLS_REQCERT never

then try again.

Campstool answered 13/6, 2013 at 3:18 Comment(4)
Is this not as same as setting ldap structure option "LDAP_OPT_X_TLS_REQUIRE_CERT" to "LDAP_OPT_X_TLS_NEVER" ??Forecourse
ldap_initialize will read the config file. In theory, set the option should work, reason to be investigated, ...Campstool
I never saw this documented anywhere. Thanks. How about ldap_init() (though deprecated, it's fine for me)?? Will that read the config file?? or the ldap_set_option() takes the priority?Forecourse
uread the source code for all the details, :) strace is helpful tooCampstool
E
0

It seems that you are trying to setup a TLS connection over the SSL port, which is not possible. Here is a quote from the wiki page on LDAP:

There is a similar non-standard ldaps: URL scheme for LDAP over SSL. This should not be confused with LDAP with TLS, which is achieved using the StartTLS operation using the standard ldap: scheme.

Unless your program needs to connect to some very old LDAP server which does not support TLS, but only SSL, I will advice to always use TLS. It is at least as secure as SSL.

However if you need to create an SSL connection I believe that this thread on openldap site will help. In short I think (sorry I don't have an environment to check this) you need to use LDAP_OPT_X_TLS_CACERTFILE instead of LDAP_OPT_X_TLS_REQUIRE_CERT. Also you should not call ldap_start_tls_s, because it will try to establish TLS connection (which you don't want).

Espresso answered 11/6, 2013 at 8:29 Comment(1)
I am not trying to setup TLS on SSL Port. I am trying to setup SSL the port dedicated to SSL (Port 10636). Also, I do not have a certificate to verify server. Hence, I am setting "LDAP_OPT_X_TLS_REQUIRE_CERT" to "LDAP_OPT_X_TLS_NEVER".. Equivalent to setting up TLS_REQCERT to Never in ldap.conf file.Forecourse

© 2022 - 2024 — McMap. All rights reserved.