We help IT Professionals succeed at work.
Get Started
Private
Troubleshooting Question

OpenLDAP certificate issues

PDamasceno
PDamasceno asked
on
2 Comments
1 Solution
42 Views
Last Modified: 2020-12-07
I wrote a small program to test the OpenLDAP API using TLS or SSL with a local server I made. Everything is in a CentOS machine.

The server has self signed certificates and the option "olcTLSVerifyClient: demand".

In my program and using ldapsearch I can bind to the server without any problems when using ldap://localhost.

With SSL:
When I try ldapsearch with ldaps://localhost I'm getting the error below:
$ ldapsearch -W -H ldaps://localhost -D "cn=admin,dc=local_server,dc=com" -b "ou=users,dc=local_server,dc=com" "uid=testuser"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
And on my test program ldap_sasl_bind_s fails with:
Can't contact LDAP server

Test program:
int main() {
    LDAP* session = nullptr;

    std::string sever = "ldaps://localhost";
    std::string bind_dn = "cn=admin,dc=local_server,dc=com";
    std::string bind_password = "1234";
    int version = LDAP_VERSION3;
    int result = LDAP_OTHER;

    // PREPARE CONNECTION
    result = ldap_initialize(&session, sever.c_str());
    if (result != LDAP_SUCCESS) {
        std::cout << "ldap_initialize failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    } else {
        std::cout << "ldap_initialize returned success" << std::endl;
    }

    result = ldap_set_option(session, LDAP_OPT_PROTOCOL_VERSION, &version);
    if (result != LDAP_OPT_SUCCESS) {
        std::cout << "ldap_set_option failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    }

    // BIND TO SERVER
    struct berval *admin_cred = ber_str2bv(strdup(bind_password.c_str()), 0, 0, nullptr);

    result = ldap_sasl_bind_s(session, bind_dn.c_str(), LDAP_SASL_SIMPLE, admin_cred, nullptr, nullptr, nullptr);
    if (result != LDAP_SUCCESS) {
        std::cout << "admin ldap_sasl_bind_s failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        ldap_unbind_ext_s(session, nullptr, nullptr);
        session = nullptr;
        ber_bvfree(admin_cred);
        return 1;
    } else {
        std::cout << "admin ldap_sasl_bind_s returned success" << std::endl;
    }

    ber_bvfree(admin_cred);
    ldap_unbind_ext_s(session, nullptr, nullptr);
    session = nullptr;
    return 0;
}

Wtih StartTLS:
When using ldapsearch:
$ ldapsearch -W -H ldap://localhost -D "cn=admin,dc=pablo_local,dc=com" -b "ou=users,dc=pablo_local,dc=com" "uid=testuser" -Z
ldap_start_tls: Connect error (-11)
   additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On my test program ldap_start_tls_s fails with:
Connect error

Test program:
int main() {
    LDAP* session = nullptr;

    std::string sever = "ldap://localhost";
    std::string bind_dn = "cn=admin,dc=local_server,dc=com";
    std::string bind_password = "1234";
    int version = LDAP_VERSION3;
    int result = LDAP_OTHER;

    // PREPARE CONNECTION
    result = ldap_initialize(&session, sever.c_str());
    if (result != LDAP_SUCCESS) {
        std::cout << "ldap_initialize failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    } else {
        std::cout << "ldap_initialize returned success" << std::endl;
    }

    result = ldap_set_option(session, LDAP_OPT_PROTOCOL_VERSION, &version);
    if (result != LDAP_OPT_SUCCESS) {
        std::cout << "ldap_set_option failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    }

    int opt_cert = LDAP_OPT_X_TLS_ALLOW;
    result = ldap_set_option(session, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_cert);
    if (result != LDAP_OPT_SUCCESS) {
        std::cout << "ldap_set_option failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    }

    result = ldap_set_option(session, LDAP_OPT_X_TLS_NEWCTX, LDAP_OPT_ON);
    if (result != LDAP_OPT_SUCCESS) {
        std::cout << "ldap_set_option failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    }

    result = ldap_set_option(session, LDAP_OPT_X_TLS_CACERTFILE, "/certs/cacerts.pem");
    if (result != LDAP_OPT_SUCCESS) {
        std::cout << "ldap_set_option failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    }

    // START TLS
    result = ldap_start_tls_s(session, nullptr, nullptr);
    if (result != LDAP_SUCCESS) {
        std::cout << "ldap_start_tls_s failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        return 1;
    }

    // BIND TO SERVER
    struct berval *admin_cred = ber_str2bv(strdup(bind_password.c_str()), 0, 0, nullptr);

    result = ldap_sasl_bind_s(session, bind_dn.c_str(), LDAP_SASL_SIMPLE, admin_cred, nullptr, nullptr, nullptr);
    if (result != LDAP_SUCCESS) {
        std::cout << "admin ldap_sasl_bind_s failed" << std::endl;
        std::cout << ldap_err2string(result) << std::endl;
        ldap_unbind_ext_s(session, nullptr, nullptr);
        session = nullptr;
        ber_bvfree(admin_cred);
        return 1;
    } else {
        std::cout << "admin ldap_sasl_bind_s returned success" << std::endl;
    }

    ber_bvfree(admin_cred);
    ldap_unbind_ext_s(session, nullptr, nullptr);
    session = nullptr;
    return 0;
}

What could I be doing wrong in the server configuration or with my code in the test programs?
I want to have the certificates being correctly used specially in the test programs with the OpenLDAP API.
Comment
Watch Question
Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2020
Commented:
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE