PDamasceno
asked on
OpenLDAP certificate issues
I wrote a small program to test the OpenLDAP API using TLS or SSL with a local server I made. Everything is in a CentOS machine.
The server has self signed certificates and the option "olcTLSVerifyClient: demand".
In my program and using ldapsearch I can bind to the server without any problems when using ldap://localhost.
With SSL:
When I try ldapsearch with ldaps://localhost I'm getting the error below:
Test program:
Wtih StartTLS:
When using ldapsearch:
On my test program ldap_start_tls_s fails with:
Test program:
What could I be doing wrong in the server configuration or with my code in the test programs?
I want to have the certificates being correctly used specially in the test programs with the OpenLDAP API.
The server has self signed certificates and the option "olcTLSVerifyClient: demand".
In my program and using ldapsearch I can bind to the server without any problems when using ldap://localhost.
With SSL:
When I try ldapsearch with ldaps://localhost I'm getting the error below:
$ ldapsearch -W -H ldaps://localhost -D "cn=admin,dc=local_server,dc=com" -b "ou=users,dc=local_server,dc=com" "uid=testuser"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
And on my test program ldap_sasl_bind_s fails with:Can't contact LDAP server
Test program:
int main() {
LDAP* session = nullptr;
std::string sever = "ldaps://localhost";
std::string bind_dn = "cn=admin,dc=local_server,dc=com";
std::string bind_password = "1234";
int version = LDAP_VERSION3;
int result = LDAP_OTHER;
// PREPARE CONNECTION
result = ldap_initialize(&session, sever.c_str());
if (result != LDAP_SUCCESS) {
std::cout << "ldap_initialize failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
} else {
std::cout << "ldap_initialize returned success" << std::endl;
}
result = ldap_set_option(session, LDAP_OPT_PROTOCOL_VERSION, &version);
if (result != LDAP_OPT_SUCCESS) {
std::cout << "ldap_set_option failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
}
// BIND TO SERVER
struct berval *admin_cred = ber_str2bv(strdup(bind_password.c_str()), 0, 0, nullptr);
result = ldap_sasl_bind_s(session, bind_dn.c_str(), LDAP_SASL_SIMPLE, admin_cred, nullptr, nullptr, nullptr);
if (result != LDAP_SUCCESS) {
std::cout << "admin ldap_sasl_bind_s failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
ldap_unbind_ext_s(session, nullptr, nullptr);
session = nullptr;
ber_bvfree(admin_cred);
return 1;
} else {
std::cout << "admin ldap_sasl_bind_s returned success" << std::endl;
}
ber_bvfree(admin_cred);
ldap_unbind_ext_s(session, nullptr, nullptr);
session = nullptr;
return 0;
}
Wtih StartTLS:
When using ldapsearch:
$ ldapsearch -W -H ldap://localhost -D "cn=admin,dc=pablo_local,dc=com" -b "ou=users,dc=pablo_local,dc=com" "uid=testuser" -Z
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On my test program ldap_start_tls_s fails with:
Connect error
Test program:
int main() {
LDAP* session = nullptr;
std::string sever = "ldap://localhost";
std::string bind_dn = "cn=admin,dc=local_server,dc=com";
std::string bind_password = "1234";
int version = LDAP_VERSION3;
int result = LDAP_OTHER;
// PREPARE CONNECTION
result = ldap_initialize(&session, sever.c_str());
if (result != LDAP_SUCCESS) {
std::cout << "ldap_initialize failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
} else {
std::cout << "ldap_initialize returned success" << std::endl;
}
result = ldap_set_option(session, LDAP_OPT_PROTOCOL_VERSION, &version);
if (result != LDAP_OPT_SUCCESS) {
std::cout << "ldap_set_option failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
}
int opt_cert = LDAP_OPT_X_TLS_ALLOW;
result = ldap_set_option(session, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_cert);
if (result != LDAP_OPT_SUCCESS) {
std::cout << "ldap_set_option failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
}
result = ldap_set_option(session, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
if (result != LDAP_OPT_SUCCESS) {
std::cout << "ldap_set_option failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
}
result = ldap_set_option(session, LDAP_OPT_X_TLS_CACERTFILE, "/certs/cacerts.pem");
if (result != LDAP_OPT_SUCCESS) {
std::cout << "ldap_set_option failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
}
// START TLS
result = ldap_start_tls_s(session, nullptr, nullptr);
if (result != LDAP_SUCCESS) {
std::cout << "ldap_start_tls_s failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
return 1;
}
// BIND TO SERVER
struct berval *admin_cred = ber_str2bv(strdup(bind_password.c_str()), 0, 0, nullptr);
result = ldap_sasl_bind_s(session, bind_dn.c_str(), LDAP_SASL_SIMPLE, admin_cred, nullptr, nullptr, nullptr);
if (result != LDAP_SUCCESS) {
std::cout << "admin ldap_sasl_bind_s failed" << std::endl;
std::cout << ldap_err2string(result) << std::endl;
ldap_unbind_ext_s(session, nullptr, nullptr);
session = nullptr;
ber_bvfree(admin_cred);
return 1;
} else {
std::cout << "admin ldap_sasl_bind_s returned success" << std::endl;
}
ber_bvfree(admin_cred);
ldap_unbind_ext_s(session, nullptr, nullptr);
session = nullptr;
return 0;
}
What could I be doing wrong in the server configuration or with my code in the test programs?
I want to have the certificates being correctly used specially in the test programs with the OpenLDAP API.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
curl -v -k ldaps://.....