I am trying to write a simple client test program using OpenLDAP client API to
connect to Microsoft Active Directory Server over SSL.
Below is code snippet. The program failed to connect.
It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server
(-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
I know there's no problem with LDAP certificate store /path/to/ldap_certdb
because a simple LDAP client test program written in Mozilla LDAP C-SDK worked
fine connecting to this same AD server, over SSL.
I need to know if I am using the correct OpenLDAP client API calls.
Any input would be much appreciated.
Thanks.
Source Code:
ldap_initialize( &ld, uri );
if ( ld == NULL ) {
tester_perror( "ldap_initialize", NULL );
exit( EXIT_FAILURE );
}
rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d,
error=%s\n",
version, rc, ldap_err2string(rc));
rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,
chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",
chaserefs, rc, ldap_err2string(rc));
int debug_flag1 = -1; // LDAP_DEBUG_ANY ;
rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);
printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d,
error=%s\n",
debug_flag1, rc, ldap_err2string(rc));
char *cert_path="/path/to/ldap_certdb";
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d,
error=%s\n",
cert_path, rc, ldap_err2string(rc));
int reqcert = LDAP_OPT_X_TLS_ALLOW;
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d,
error=%s\n",
reqcert, rc, ldap_err2string(rc));
rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL,
NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
switch ( rc ) {
case LDAP_BUSY:
case LDAP_UNAVAILABLE:
/* fallthru */
default:
break;
}
exit( EXIT_FAILURE );
}
Here's program output:
rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, /path/to/ldap_certdb)=0,
error=Success
rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success
PID=4781 - Search(2):
base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com",
filter="cn=aduser2*" attr="cn".
slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server (-1)
error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
From: Wu, Daisy
Sent: Friday, August 26, 2011 4:53 PM
To: [email protected]; '[email protected]'
Subject: Need sample OpenLDAP client test program connecting to LDAP server
over SSL
Hi, OpenLDAP developers,
Do you have any sample test programs (or code snippets) that uses OpenLDAP
client API to connect to LDAP server over SSL?
Thanks in advance.
Daisy
