Discussion:
SSL connection using libLDAP
Alexander Hartner
2006-03-17 23:56:52 UTC
Permalink
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it breaks.

ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");

e = ldap_simple_bind_s(ldap, [username cString], [password cString]);

char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");

The error reported is :

LDAP BOUND: Can't contact LDAP server (-1)

I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.

Thanks

Alexander Hartner
***@j2anywhere.com

Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Kurt D. Zeilenga
2006-03-18 04:46:11 UTC
Permalink
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.

- Kurt
Post by Alexander Hartner
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Alexander Hartner
2006-03-18 20:19:14 UTC
Permalink
Hi Kurt,

I tried to look for the man pages, but can't find them anywhere. They
don't seem to be included on OS X, Gentoo or the website.



I had a look at the examples (clients/tools) and I modified my code.
I hope I have the sequence right ? I call the following function as
follows:

1.)ldap_init
2.)ldap_set_options (Version 3,... ) I think I need to set the
CACERTFILE here. But I don't know what option to set. I am also
hoping for an option to accept self signed certificates without
having to specify a CA.
3.)ldap_start_tls_s
4.)ldap_simple_bind_s

It doesn't work yet, because I don't know what options to set. If you
have the man pages could you please email them to me.
Thanks for your help

Alexander Hartner
***@j2anywhere.com

Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Kurt D. Zeilenga
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.
- Kurt
Post by Alexander Hartner
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Kurt D. Zeilenga
2006-03-18 21:05:00 UTC
Permalink
Post by Alexander Hartner
I tried to look for the man pages, but can't find them anywhere.
Some manual pages are missing, especially in older versions
of OpenLDAP Software.
Post by Alexander Hartner
1.)ldap_init
modern versions of OpenLDAP client tools don't call ldap_init(3).
They call ldap_initialize(3).
Post by Alexander Hartner
2.)ldap_set_options (Version 3,... ) I think I need to set the
CACERTFILE here. But I don't know what option to set. I am also
hoping for an option to accept self signed certificates without
having to specify a CA.
Only necessarily if you don't use the ldap.conf(5) method
of providing TLS configuration.
Post by Alexander Hartner
3.)ldap_start_tls_s
4.)ldap_simple_bind_s
For StartTLS, yes.
Post by Alexander Hartner
It doesn't work yet,
Well, does ldapsearch(1) work? If so, then your program should
work too if you proper followed the ldapsearch(1) example. If
not, well, I suggest you get ldapsearch(1) working first.
Post by Alexander Hartner
because I don't know what options to set.
If you have the man pages could you please email them to me.
You might look in HEAD for recently written pages.
Post by Alexander Hartner
Thanks for your help
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Kurt D. Zeilenga
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.
- Kurt
Post by Alexander Hartner
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Alexander Hartner
2006-03-19 22:43:04 UTC
Permalink
Thanks Kurt,

I have it working now. Even though the example is in ObjectiveC, it
might be helpful to other.

if ([connectionDetail sslEnabled])
{
NSString * url = [NSString stringWithFormat:@"ldaps://%@:%@
",hostname,[port stringValue]];
NSLog(@"Using SSL URL : %@\n",url);
ldap_initialize(&ldap,[url cString]);
}
else
{
NSString * url = [NSString stringWithFormat:@"ldap://%@:%@
",hostname,[port stringValue]];
NSLog(@"Using URL : %@\n",url);
ldap_initialize(&ldap,[url cString]);
}

ldap_perror(ldap, "LDAP INITIALISED");

const int ldap_version=LDAP_VERSION3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
&ldap_version);
ldap_perror(ldap, "LDAP VERSION 3 SET");

if ([connectionDetail sslEnabled])
{
e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/openldap/
cacert.pem");
ldap_perror(ldap, "SETTING CACERTIFICATE FILE");
ldap_start_tls_s(ldap, NULL, NULL);
ldap_perror(ldap, "LDAP STARTING TLS");
}

e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
ldap_perror(ldap, "LDAP BOUND");
char * errorMessage = ldap_err2string(e);

Tx
Alexander Hartner
***@j2anywhere.com

Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Alexander Hartner
Hi Kurt,
I tried to look for the man pages, but can't find them anywhere.
They don't seem to be included on OS X, Gentoo or the website.
[]
I had a look at the examples (clients/tools) and I modified my
code. I hope I have the sequence right ? I call the following
1.)ldap_init
2.)ldap_set_options (Version 3,... ) I think I need to set the
CACERTFILE here. But I don't know what option to set. I am also
hoping for an option to accept self signed certificates without
having to specify a CA.
3.)ldap_start_tls_s
4.)ldap_simple_bind_s
It doesn't work yet, because I don't know what options to set. If
you have the man pages could you please email them to me.
Thanks for your help
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Kurt D. Zeilenga
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.
- Kurt
Post by Alexander Hartner
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
This is a form letter. Due to the volume of email I receive, I
cannot personally respond to each message directed to my mailbox.
If your message concerns the use of OpenLDAP Software, I suggest
that you post your message to the most appropriate mailing list
(which is not necessarily an OpenLDAP mailing list).
http://www.openldap.org/lists/
If your message is a general LDAP question, I suggest you use
I do often answer questions that are asked in public forums. I
do this for the benefit of the community. As taking discussions
off list only affords the enquirer the benefit of my response,
I ask that you ask whatever follow-up questions you might have
in the public forum.
Regards, Kurt
Alexander F. Hartner
2006-03-20 08:24:20 UTC
Permalink
After getting it working I have one more question. Currently I am
setting the path to the CACERT file manually.

Is it possible to read the certificate from a different source, such as
a database or external io stream. Having to configure a seperate file
for my application is not so nice.

Would it be possible to switch certificate validation off maybe ?

Ideally I would like to be able to connect to any LDAP / LDAPS directory
without having to configure files outside my application.

Thanks
Alex
Post by Alexander Hartner
Thanks Kurt,
I have it working now. Even though the example is in ObjectiveC, it
might be helpful to other.
if ([connectionDetail sslEnabled])
{
",hostname,[port stringValue]];
ldap_initialize(&ldap,[url cString]);
}
else
{
",hostname,[port stringValue]];
ldap_initialize(&ldap,[url cString]);
}
ldap_perror(ldap, "LDAP INITIALISED");
const int ldap_version=LDAP_VERSION3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
&ldap_version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
if ([connectionDetail sslEnabled])
{
e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE,
"/etc/openldap/ cacert.pem");
ldap_perror(ldap, "SETTING CACERTIFICATE FILE");
ldap_start_tls_s(ldap, NULL, NULL);
ldap_perror(ldap, "LDAP STARTING TLS");
}
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
ldap_perror(ldap, "LDAP BOUND");
char * errorMessage = ldap_err2string(e);
Tx
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Alexander Hartner
Hi Kurt,
I tried to look for the man pages, but can't find them anywhere.
They don't seem to be included on OS X, Gentoo or the website.
[]
I had a look at the examples (clients/tools) and I modified my
code. I hope I have the sequence right ? I call the following
1.)ldap_init
2.)ldap_set_options (Version 3,... ) I think I need to set the
CACERTFILE here. But I don't know what option to set. I am also
hoping for an option to accept self signed certificates without
having to specify a CA.
3.)ldap_start_tls_s
4.)ldap_simple_bind_s
It doesn't work yet, because I don't know what options to set. If
you have the man pages could you please email them to me.
Thanks for your help
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Kurt D. Zeilenga
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.
- Kurt
Post by Alexander Hartner
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on it breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
This is a form letter. Due to the volume of email I receive, I
cannot personally respond to each message directed to my mailbox.
If your message concerns the use of OpenLDAP Software, I suggest
that you post your message to the most appropriate mailing list
(which is not necessarily an OpenLDAP mailing list).
http://www.openldap.org/lists/
If your message is a general LDAP question, I suggest you use
I do often answer questions that are asked in public forums. I
do this for the benefit of the community. As taking discussions
off list only affords the enquirer the benefit of my response,
I ask that you ask whatever follow-up questions you might have
in the public forum.
Regards, Kurt
Alexander Hartner
2006-03-21 09:04:45 UTC
Permalink
After some searching, I figured out that I don't actually need to
invoke ldap_start_tls_s(ldap, NULL, NULL); after having invoked
ldap_initialize(&ldap,"ldaps://..."); From Kurt's first response I
gathered that this mean I am using the non-standard approach.
Post by Alexander F. Hartner
Post by Alexander Hartner
Post by Alexander Hartner
Post by Kurt D. Zeilenga
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism.
I then tried to ldap_initialize(&ldap,"ldap://..."); (Without the
's') and to use the following:

e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/openldap/
cacert.pem");
ldap_perror(ldap, "SETTING CACERTIFICATE FILE");
ldap_start_tls_s(ldap, NULL, NULL);
ldap_perror(ldap, "LDAP STARTING TLS");

But this did not work and failed with the following errors:

LDAP INITIALISED: Success (0)
LDAP VERSION 3 SET: Success (0)
SETTING CACERTIFICATE FILE: Success (0)
LDAP STARTING TLS: Can't contact LDAP server (-1)
LDAP BOUND: Can't contact LDAP server (-1)

Seeing that the non-standard way it working for me it's not really a
big problem. I just would like to understand this better.

Kind regards

Alexander Hartner
Post by Alexander F. Hartner
After getting it working I have one more question. Currently I am
setting the path to the CACERT file manually.
Is it possible to read the certificate from a different source,
such as a database or external io stream. Having to configure a
seperate file for my application is not so nice.
Would it be possible to switch certificate validation off maybe ?
Ideally I would like to be able to connect to any LDAP / LDAPS
directory without having to configure files outside my application.
Thanks
Alex
Post by Alexander Hartner
Thanks Kurt,
I have it working now. Even though the example is in ObjectiveC,
it might be helpful to other.
if ([connectionDetail sslEnabled])
{
@ ",hostname,[port stringValue]];
ldap_initialize(&ldap,[url cString]);
}
else
{
@ ",hostname,[port stringValue]];
ldap_initialize(&ldap,[url cString]);
}
ldap_perror(ldap, "LDAP INITIALISED");
const int ldap_version=LDAP_VERSION3;
int e = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
&ldap_version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
if ([connectionDetail sslEnabled])
{
e = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, "/etc/
openldap/ cacert.pem");
ldap_perror(ldap, "SETTING CACERTIFICATE FILE");
ldap_start_tls_s(ldap, NULL, NULL);
ldap_perror(ldap, "LDAP STARTING TLS");
}
e = ldap_simple_bind_s(ldap, [username cString], [password cString]);
ldap_perror(ldap, "LDAP BOUND");
char * errorMessage = ldap_err2string(e);
Tx
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Alexander Hartner
Hi Kurt,
I tried to look for the man pages, but can't find them
anywhere. They don't seem to be included on OS X, Gentoo or the
website.
[]
I had a look at the examples (clients/tools) and I modified my
code. I hope I have the sequence right ? I call the following
1.)ldap_init
2.)ldap_set_options (Version 3,... ) I think I need to set the
CACERTFILE here. But I don't know what option to set. I am also
hoping for an option to accept self signed certificates without
having to specify a CA.
3.)ldap_start_tls_s
4.)ldap_simple_bind_s
It doesn't work yet, because I don't know what options to set.
If you have the man pages could you please email them to me.
Thanks for your help
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
Post by Kurt D. Zeilenga
OpenLDAP's -lldap supports initiating TLS (SSL) using either
the standard "Start TLS" mechanism [RFC2830] or the non-standard
"ldaps:" (Secure LDAP) mechanism. In the former case, the
program should call ldap_initialize(3) with the appropriate
ldap: URL, set version to 3, and then call ldap_start_tls_s(3).
In the latter case, ldap_initialize(3) is called with the
ldaps: URL. In both cases, appropriate certificate information
should be provided via ldap.conf(5) facilities or via
ldap_set_option(3)). See the client/tools for example code.
- Kurt
Post by Alexander Hartner
I am trying to connect to my LDAP directory using libLDAP. With SSL
disable the following code works, but since I switched SSL on
it breaks.
ldap = ldap_init([hostname cString], [port intValue]);
ldap_perror(ldap, "LDAP INITIALISED");
const int version = 3;
int e = ldap_set_option(ldap,
LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_perror(ldap, "LDAP VERSION 3 SET");
e = ldap_simple_bind_s(ldap, [username cString],
[password cString]);
char * errorMessage = ldap_err2string(e);
ldap_perror(ldap, "LDAP BOUND");
LDAP BOUND: Can't contact LDAP server (-1)
I figure this is a problem with ldap_simpel_bind_s, but i
can't find
what I need to modify for SSL to work.
Thanks
Alexander Hartner
Does a good farmer neglect a crop he has planted?
Does a good teacher overlook even the most humble student?
Does a good father allow a single child to starve?
Does a good programmer refuse to maintain his code?
- The Tao of Programming
This is a form letter. Due to the volume of email I receive, I
cannot personally respond to each message directed to my mailbox.
If your message concerns the use of OpenLDAP Software, I suggest
that you post your message to the most appropriate mailing list
(which is not necessarily an OpenLDAP mailing list).
http://www.openldap.org/lists/
If your message is a general LDAP question, I suggest you use
I do often answer questions that are asked in public forums. I
do this for the benefit of the community. As taking discussions
off list only affords the enquirer the benefit of my response,
I ask that you ask whatever follow-up questions you might have
in the public forum.
Regards, Kurt
Loading...