Hi,
I have had a problem with connecting to my ldap server using SSL.
I use a test tool called ldapbrowser to test connectivity whenever I do
anything with LDAP, connecting to port 389, this is not a problem, using the
same DN etc. I can also connect to port 636 securely to both my ldap servers
by importing the certificates into the keystore using the keytool.
I am currently using:
ldapcsdk-6.02-SunOS5.10_sparc_OPT
and:
ldapcsdk5.08-SunOS5.6_OPT.OBJ
i can connect using port 389 and make a successful bind, but if i try to
connect to port 636 i get the following error:
Error - ldap_simple_bind_s
the return value is:
51
or
81 Decimal
I haven't checked for any LDAP Server debug log as I assumed it was all ok
as ldapbrowser seems to connect fine. I generated my certificates in the
following way:
1. created a CA
2. created a server certificate signed with the CA
3. imported into a cert7.db and key3.db
this is what I used to setup a Sun One LDAP Server, further details:
nss-3.4.2.tar.gz
nspr-4.2.2.tar.gz
untar'd both nss-3.4.2.tar.gz and nspr-4.2.2.tar.gz to the same folder
/usr/tmp/combind/certutil -N -d /tmp/cert7/
/usr/tmp/combine/certutil -A -n CAcert -t "PTCu,PTCu,PTCu" -i
/tmp/CAcert.cert -d /tmp/cert7/
/usr/sfw/bin/certutil -A -n Servercert -t
"PTCu,PTCu,PTCu" -i/tmp/Servercert.cert -d /tmp/cert7/
then I use the following client code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <time.h>
#include "ldap.h"
#include "ldap_ssl.h"
#define BIND_DN
"uid=sbrown,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
#define BIND_PW "password"
#define MY_CERTDB_PATH "/tmp/ssl"
#define MY_KEYDB_PATH "/tmp/ssl"
#define DEBUG_LOG "/tmp/ssl/ssl.log"
#define HOSTNAME "hostname"
#define SSL_PORT_NUMBER 636
#define PORTNUMBER 389
int ldap_ssl_validate(char *username, char *password);
int log(char *message);
int main(){
int rc = 0;
rc = ldap_ssl_validate("sbrown", "password");
if (rc != 0){
printf("The Error code returned is HEX VALUE: %x and DEC
VALUE: %d\n", rc, rc);
}
else{
printf("No Error Occurred!\n");
}
return 0;
}
int ldap_ssl_validate(char * username, char * password)
{
LDAP *ld;
LDAPMessage *result, *e, *res;
int rc,version;
int max_ret;
char dn[512] = {'\0'};
/* Initialize the client */
if ( rc = ldapssl_clientauth_init( MY_CERTDB_PATH, NULL, 1,
MY_KEYDB_PATH, NULL ) < 0 ) {
log("Error - ldapssl_client_init");
perror( "ldapssl_client_init" );
return( rc );
}
printf("> ldap_client_init - Success!\n");
if ( (ld = ldapssl_init( HOSTNAME, SSL_PORT_NUMBER, 1 )) == NULL ) {
perror( "ldap_init" );
return( -1 );
}
printf("> ldapssl_init - Success! \n");
version = LDAP_VERSION3;
if ( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) < 0 )
{
ldap_perror( ld, "ldap_set_option LDAPv3" );
ldap_unbind( ld );
return( -1 );
}
rc = ldap_simple_bind_s( ld, BIND_DN, password );
if ( rc != LDAP_SUCCESS ) {
log("Error - ldap_simple_bind_s");
printf("Error - ldap_simple_bind_s\n");
return( rc );
}
/* STEP 3: Disconnect from the server. */
ldap_unbind( ld );
log("Success - ldap_simple_bind_s");
return( 1 );
}
int log(char *message)
{
FILE *fp;
time_t rawtime;
int err;
fp = fopen(DEBUG_LOG, "wt");
fprintf(fp, "%s > %s\n", ctime(&rawtime), message);
fclose(fp);
return 0;
}
the following truss ouput from the application using:
ldapcsdk-6.02-SunOS5.10_sparc_OPT
<SNIP>
stat("/lib/libatomic.so", 0xFFBFF380) Err#2 ENOENT
stat("/usr/lib/libatomic.so", 0xFFBFF380) Err#2 ENOENT
stat("/usr/local/lib/libatomic.so", 0xFFBFF380) Err#2 ENOENT
stat("/usr/lib/secure/libatomic.so", 0xFFBFF380) Err#2 ENOENT
write(1, " > l d a p s s l _ i n".., 27) = 27
brk(0x000557C0) = 0
brk(0x000577C0) = 0
open("/etc/netconfig", O_RDONLY|O_LARGEFILE) = 5
fcntl(5, F_DUPFD, 0x00000100) = 256
close(5) = 0
read(256, " # p r a g m a i d e n".., 1024) = 1024
read(256, " t s t p i _ c".., 1024) = 215
read(256, 0x000551F8, 1024) = 0
lseek(256, 0, SEEK_SET) = 0
read(256, " # p r a g m a i d e n".., 1024) = 1024
read(256, " t s t p i _ c".., 1024) = 215
read(256, 0x000551F8, 1024) = 0
close(256) = 0
open("/dev/udp", O_RDONLY) = 5
ioctl(5, SIOCGLIFNUM, 0xFFBFED14) = 0
close(5) = 0
brk(0x000577C0) = 0
brk(0x000597C0) = 0
open64("/var/run/name_service_door", O_RDONLY) = 5
fcntl(5, F_SETFD, 0x00000001) = 0
door_info(5, 0xFEE6F7E8) = 0
door_call(5, 0xFFBFCC78) = 0
door_info(5, 0xFFBFCC90) = 0
door_call(5, 0xFFBFCC78) = 0
brk(0x000597C0) = 0
brk(0x0005B7C0) = 0
open("/etc/default/nss", O_RDONLY|O_LARGEFILE) = 6
fcntl(6, F_DUPFD, 0x00000100) = 256
close(6) = 0
read(256, " # i d e n t\t " @ ( #".., 1024) = 1024
read(256, " y t h o s e\n # f u n".., 1024) = 211
read(256, 0x000551F8, 1024) = 0
close(256) = 0
so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "", SOV_DEFAULT) = 6
fcntl(6, F_GETFL) = 2
fcntl(6, F_SETFL, FWRITE|FNONBLOCK) = 0
connect(6, 0xFFBFF5B8, 16, SOV_DEFAULT) Err#150 EINPROGRESS
pollsys(0xFFBFF2F0, 1, 0xFFBFF278, 0x00000000) = 1
getsockopt(6, SOL_SOCKET, SO_ERROR, 0xFFBFF218, 0xFFBFF21C, SOV_DEFAULT) = 0
brk(0x0005B7C0) = 0
brk(0x0005F7C0) = 0
brk(0x0005F7C0) = 0
brk(0x000637C0) = 0
getpeername(6, 0xFFBFF5C8, 0xFFBFF564, SOV_DEFAULT) = 0
time() = 1201294867
getpeername(6, 0xFFBFF4F8, 0xFFBFF494, SOV_DEFAULT) = 0
time() = 1201294867
brk(0x000637C0) = 0
brk(0x000677C0) = 0
write(6, "80 4010301\01B\0\0\010\0".., 54) = 54
read(6, "160301", 3) = 3
read(6, "07D7", 2) = 2
brk(0x000677C0) = 0
brk(0x0006B7C0) = 0
read(6, "02\0\0 F0301\0\0 k mE2 A".., 2007) = 2007
brk(0x0006B7C0) = 0
brk(0x0006D7C0) = 0
brk(0x0006D7C0) = 0
brk(0x0006F7C0) = 0
lseek(3, 16384, SEEK_SET) = 16384
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192) = 8192
brk(0x0006F7C0) = 0
brk(0x000717C0) = 0
brk(0x000717C0) = 0
brk(0x000737C0) = 0
brk(0x000737C0) = 0
brk(0x000757C0) = 0
brk(0x000757C0) = 0
brk(0x000777C0) = 0
write(6, "150301\00202 0", 7) = 7
time() = 1201294867
open("/tmp/ssl/ssl.log", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7
brk(0x000777C0) = 0
brk(0x000797C0) = 0
open("/usr/share/lib/zoneinfo/GB", O_RDONLY) = 8
fstat64(8, 0xFFBFF788) = 0
read(8, " T Z i f\0\0\0\0\0\0\0\0".., 1323) = 1323
close(8) = 0
fstat64(7, 0xFFBFEBD0) = 0
brk(0x000797C0) = 0
brk(0x0007B7C0) = 0
fstat64(7, 0xFFBFEA78) = 0
ioctl(7, TCGETA, 0xFFBFEB5C) Err#25 ENOTTY
write(7, " T h u J a n 1 0".., 55) = 55
close(7) = 0
write(1, " E r r o r - l d a p".., 27) = 27
write(1, " T h e E r r o r c o".., 59) = 59
_exit(0)
</SNIP>
thats not all of it, just the bottom end,
there are libatomic.so errors throughout, I had a problem earlier compiling
the Mozilla LDAP SDK with a libatomic.so error, which I didn't overcome as I
used the 6.02 binaries, it has something to do with NSPR which i assumed got
compiled ok when I compiled the NSS source that included it.
I also have a fear that its certificate related even though the Sun One
Server recognises the certifcates in the Sun One Management console and
ldapbrowser can connect i think that it may not be right for the client SDK,
any ideas or analysis on this would be most appreciated,
regards
Stephen
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
