Hi Howard, You proposed to set option for certificate file and key file before connection is established. I already did this. Issue that I found is "some" mismatch between global structure (initiated in ldap_initialize function, or, precisely it is getopts found in ldap_create and initiated with LDAP_INT_GLOBAL_OPT()) and ld_options structure that is member of LDAP (precisely, ld_options is member of ldap_common, which is the member of ldap structure). So, ld_options will contain all data that are set by set_options function. Unfortunately, deep in the call stack:
tlso_init() Line 148 C tls_init(tls_impl * impl=0x08bfe650) Line 168 C ldap_int_tls_start(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08) Line 829 C ldap_int_open_connection(ldap * ld=0x0b8ee610, ldap_conn * conn=0x02c0a400, ldap_url_desc * srv=0x0b935c08, int async=0) Line 448 C ldap_new_connection(ldap * ld=0x0b8ee610, ldap_url_desc * * srvlist=0x0b8ffa88, int use_ldsb=1, int connect=1, ldapreqinfo * bind=0x00000000, int m_req=0, int m_res=0) Line 487 C ldap_open_defconn(ldap * ld=0x0b8ee610) Line 42 C ldap_send_initial_request(ldap * ld=0x0b8ee610, unsigned long msgtype=96, const char * dn=0x08cc05f7, berelement * ber=0x0b935b00, int msgid=1) Line 130 C ldap_sasl_bind(ldap * ld=0x0b8ee610, const char * dn=0x08cc05f7, const char * mechanism=0x089c3b4c, berval * cred=0x00000000, ldapcontrol * * sctrls=0x00000000, ldapcontrol * * cctrls=0x00000000, int * msgidp=0x1428fe10) Line when tls context is initiated, ldap options are again initiated with LDAP_INT_GLOBAL_OPT() which does not contain values set by set_option. Any clue here? Please consider the environment before printing this email -----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Monday, January 25, 2016 3:45 PM To: Aleksandar Karalejić <[email protected]>; [email protected] Subject: Re: simple question Aleksandar Karalejić wrote: > Hi OpenLDAP team, > > I have a question, simple I hope, for you - I need to send client > certificate to the server openldap server (by using openldap api and openSSL). > > For completing this job, first I initalized ldap with url containing > ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636). You must set all of the TLS options before contacting the remote server. In particular, you must set your certificate file and key file in advance. > > I have set > > LDAP_OPT_PROTOCOL_VERSION -> > LDAP_VERSION3 > > LDAP_OPT_X_TLS_PROTOCOL_MIN -> > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 > > LDAP_OPT_X_TLS_REQUIRE_CERT -> > LDAP_OPT_X_TLS_DEMAND This is already the default. > > LDAP_OPT_X_TLS_CONNECT_ARG -> > fqdn_of_ldap_server This is unnecessary, the server name will be parsed from the URL. > LDAP_OPT_X_TLS_CONNECT_CB -> > my_tsl_verify_callback > > and then I called ldap_sasl_bind: > > ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid); > > What I saw is that certficate from the server was received, but how to > send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE > (sending the abs path to the .pem file) but nothing. Also, I saw that > this parameter was not taken into account - it looks like ssl_ctx > object used for ssl_connect does not include path to the file (like > two global structures used for setting up ctx know nothing about each > other.) > > Can you, help me with this? > > Regards, > > Aleksandar > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
