RE: OpenLDAP client test program connecting to LDAP server over SSL failed

daisy.wu Wed, 31 Aug 2011 08:49:50 -0700

Thank you so much, Rich, for your reply.

In this call


        char *cert_path="/path/to/ldap_certdb";
        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, 
error=%s\n",
                cert_path, rc, ldap_err2string(rc));


/path/to/ldap_certdb is actually a directory, the files under it are like this:

% ls -altr /path/to/ldap_certdb
total 56
-rw-r--r--   1 dmadmin dmadmin 16384 Sep 14  2010 secmod.db
-rw-r--r--   1 dmadmin dmadmin 16384 Sep 14  2010 key3.db
-rw-r--r--   1 dmadmin dmadmin 16384 Sep 14  2010 cert7.db
drwx------  27 dmadmin dmadmin  4096 Aug 30 22:14 ../
drwxr-xr-x   2 dmadmin dmadmin  4096 Aug 30 22:14 ./
%


My simple test program (for testing LDAP SSL connection to AD server) using 
Mozilla LDAP C-SDK looks something like this (this test program works, 
connecting to AD over SSL works fine):

   if (ldapssl_client_init("/path/to/ldap_certdb", NULL ) < 0)
   {
     perror("ldapssl_client_init");
     return 1;
   }

    ld = ldapssl_init( host, port, 1);
    if ( ld == NULL )
    {
      perror("ldapssl_init");
      return 1;
    }

    if ((rc = ldap_simple_bind_s( ld, bind_dn, bind_password)) != LDAP_SUCCESS)
    {
      ldap_perror(ld, "ldap_simple_bind_s");
      return 1;
    }

However, the following equivalent code using OpenLDAP (built with RSA Share 
Adpator and RSA MES) does not work.  It failed with error "ldap_sasl_bind_s: 
Can't contact LDAP server (-1) error:14090086:SSL routines: 
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

        ldap_initialize( &ld, uri );
        if ( ld == NULL ) {
                tester_perror( "ldap_initialize", NULL );
                exit( EXIT_FAILURE );
        }

        rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
        printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, 
error=%s\n",
                version, rc, ldap_err2string(rc));

        rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,
                chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
        printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",
                chaserefs, rc, ldap_err2string(rc));

        int debug_flag1 = -1; // LDAP_DEBUG_ANY ;
        rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);
        printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, 
error=%s\n",
                debug_flag1, rc, ldap_err2string(rc));

        char *cert_path="/path/to/ldap_certdb"; // this is directory
        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, 
error=%s\n",
                cert_path, rc, ldap_err2string(rc));

        int reqcert = LDAP_OPT_X_TLS_ALLOW;
        rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, 
error=%s\n",
                 reqcert, rc, ldap_err2string(rc));

         rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, 
NULL, NULL );
         if ( rc != LDAP_SUCCESS ) {
           tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
           switch ( rc ) {
             case LDAP_BUSY:
             case LDAP_UNAVAILABLE:
               /* fallthru */
             default:
               break;
           }
           exit( EXIT_FAILURE );
         }



From: Rich Megginson [mailto:[email protected]]
Sent: Tuesday, August 30, 2011 6:27 PM
To: Wu, Daisy
Cc: [email protected]; [email protected]
Subject: Re: OpenLDAP client test program connecting to LDAP server over SSL 
failed

On 08/30/2011 07:09 PM, [email protected]<mailto:[email protected]> wrote:
I am trying to write a simple client test program using OpenLDAP client API to 
connect to Microsoft Active Directory Server over SSL.

Below is code snippet.  The program failed to connect.

It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server 
(-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed

I know there's no problem with LDAP certificate store /path/to/ldap_certdb 
because a simple LDAP client test program written in Mozilla LDAP C-SDK worked 
fine connecting to this same AD server, over SSL.

I need to know if I am using the correct OpenLDAP client API calls.
Yes, but it looks like you are using OpenLDAP built with openssl, not Mozilla 
NSS.  If your OpenLDAP is provided by some vendor, and you cannot 
change/rebuild with moznss support, you'll have to export the CA certificate(s) 
from the /path/to/ldap_certdb and pass them to OpenLDAP with either a single 
file and LDAP_OPT_X_TLS_CACERTFILE or an openssl style ca cert dir with 
LDAP_OPT_X_TLS_CACERTDIR.

Any input would be much appreciated.

Thanks.

Source Code:

        ldap_initialize( &ld, uri );
        if ( ld == NULL ) {
                tester_perror( "ldap_initialize", NULL );
                exit( EXIT_FAILURE );
        }

        rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
        printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, 
error=%s\n",
                version, rc, ldap_err2string(rc));

        rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,
                chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );
        printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",
                chaserefs, rc, ldap_err2string(rc));

        int debug_flag1 = -1; // LDAP_DEBUG_ANY ;
        rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);
        printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, 
error=%s\n",
                debug_flag1, rc, ldap_err2string(rc));

        char *cert_path="/path/to/ldap_certdb";
        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);
        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, 
error=%s\n",
                cert_path, rc, ldap_err2string(rc));

        int reqcert = LDAP_OPT_X_TLS_ALLOW;
        rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, 
error=%s\n",
                 reqcert, rc, ldap_err2string(rc));

         rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, 
NULL, NULL );
         if ( rc != LDAP_SUCCESS ) {
           tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );
           switch ( rc ) {
             case LDAP_BUSY:
             case LDAP_UNAVAILABLE:
               /* fallthru */
             default:
               break;
           }
           exit( EXIT_FAILURE );
         }


Here's program output:

rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success
rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, /path/to/ldap_certdb)=0, 
error=Success
rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success
PID=4781 - Search(2): 
base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com", 
filter="cn=aduser2*" attr="cn".
slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server (-1) 
error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed


From: Wu, Daisy
Sent: Friday, August 26, 2011 4:53 PM
To: [email protected]<mailto:[email protected]>; 
'[email protected]<mailto:[email protected]>'
Subject: Need sample OpenLDAP client test program connecting to LDAP server 
over SSL

Hi, OpenLDAP developers,

Do you have any sample test programs (or code snippets) that uses OpenLDAP 
client API to connect to LDAP server over SSL?

Thanks in advance.

Daisy

RE: OpenLDAP client test program connecting to LDAP server over SSL failed

Reply via email to