Re: OpenLDAP client test program connecting to LDAP server over SSL failed

Tue, 30 Aug 2011 21:35:47 -0700 

On 08/30/2011 07:09 PM, [email protected] wrote:



I am trying to write a simple client test program using OpenLDAP 
client API to connect to Microsoft Active Directory Server over SSL.


Below is code snippet.  The program failed to connect.


It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP 
server (-1) error:14090086:SSL routines: 
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



I know there's no problem with LDAP certificate store 
/path/to/ldap_certdb because a simple LDAP client test program written 
in Mozilla LDAP C-SDK worked fine connecting to this same AD server, 
over SSL.


I need to know if I am using the correct OpenLDAP client API calls.


Yes, but it looks like you are using OpenLDAP built with openssl, not 
Mozilla NSS.  If your OpenLDAP is provided by some vendor, and you 
cannot change/rebuild with moznss support, you'll have to export the CA 
certificate(s) from the /path/to/ldap_certdb and pass them to OpenLDAP 
with either a single file and LDAP_OPT_X_TLS_CACERTFILE or an openssl 
style ca cert dir with LDAP_OPT_X_TLS_CACERTDIR.


Any input would be much appreciated.

Thanks.

Source Code:

        ldap_initialize( &ld, uri );

        if ( ld == NULL ) {

                tester_perror( "ldap_initialize", NULL );

                exit( EXIT_FAILURE );

        }

        rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );


        printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 
%d)=%d, error=%s\n",


                version, rc, ldap_err2string(rc));

        rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,

                chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );


        printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, 
error=%s\n",


                chaserefs, rc, ldap_err2string(rc));

        int debug_flag1 = -1; // LDAP_DEBUG_ANY ;

        rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);


        printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, 
error=%s\n",


                debug_flag1, rc, ldap_err2string(rc));

        char *cert_path="/path/to/ldap_certdb";

        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);


        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, 
%s)=%d, error=%s\n",


                cert_path, rc, ldap_err2string(rc));

        int reqcert = LDAP_OPT_X_TLS_ALLOW;

        rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);


        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 
%d)=%d, error=%s\n",


                 reqcert, rc, ldap_err2string(rc));


         rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, 
NULL, NULL, NULL );


         if ( rc != LDAP_SUCCESS ) {

           tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );

           switch ( rc ) {

             case LDAP_BUSY:

             case LDAP_UNAVAILABLE:

               /* fallthru */

             default:

               break;

           }

           exit( EXIT_FAILURE );

         }

Here's program output:

rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success


rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, 
/path/to/ldap_certdb)=0, error=Success


rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success


PID=4781 - Search(2): 
base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com", 
filter="cn=aduser2*" attr="cn".



slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server 
(-1) error:14090086:SSL routines: 
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


*From:*Wu, Daisy
*Sent:* Friday, August 26, 2011 4:53 PM

*To:* [email protected]; 
'[email protected]'
*Subject:* Need sample OpenLDAP client test program connecting to LDAP 
server over SSL


Hi, OpenLDAP developers,


Do you have any sample test programs (or code snippets) that uses 
OpenLDAP client API to connect to LDAP server over SSL?


Thanks in advance.

Daisy

























					Reply via email to