I don't have an answer to your question, but it seems odd that you'd
have to supply
your own routine. Does the corresponding ldap_get_option() return a
null
pointer? If you're getting cert validation errors you might have to
check your
certificate database to make sure you have the signer's cert in there.
Fred Younger
[EMAIL PROTECTED]
-----Original Message-----
From: Richard Gibson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 16, 2007 10:48 AM
To: [email protected]
Subject: [ldap] LDAP SSL
Hello there
Not sure if I've sent this to the correct area, please forgive me (and
let me know) if I have. Do you have an example of code to implement the
VerifyServerCert callback with regard to the option
LDAP_OPT_SERVER_CERTIFICATE? Currently I'm using a bit of a bodge to
accept the certificate:
static bool VerifyCert(LDAP* ld, PCCERT_CONTEXT pServerCert)
{
return true;
}
The above gets called from the following, hopefully enough is there to
enable you to see what is going on:
void DoStuff()
{
LDAP* ld;
int iRtn;
int connectSuccess;
ULONG version = LDAP_VERSION3;
SecPkgContext_ConnectionInfo sslInfo;
LONG lv = 0;
// Verify that the user passed a hostname.
AnsiString Host = LabeledEdit1->Text;
Msg("Connecting to host " + Host);
// Create an LDAP session.
ld = ldap_sslinit(Host.c_str(), LDAP_SSL_PORT, 1);
if (ld == NULL)
{
int errCode = GetLastError();
Msg("ldap_sslinit failed with " + GetLDAPErrorString(errCode));
}
else
{
// Specify version 3; the default is version 2.
Msg("Setting Protocol version to 3.");
iRtn = ldap_set_option(ld,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
if (iRtn != LDAP_SUCCESS)
FatalExit();
// Verify that SSL is enabled on the connection.
// (returns LDAP_OPT_ON/_OFF).
Msg("Checking if SSL is enabled");
iRtn = ldap_get_option(ld, LDAP_OPT_SSL, (void*)&lv);
if (iRtn != LDAP_SUCCESS)
FatalExit();
// If SSL is not enabled, enable it.
if ((void*)lv == LDAP_OPT_ON)
Msg("SSL is enabled");
else
{
Msg("SSL not enabled. SSL being enabled...");
ULONG ul = (ULONG) LDAP_OPT_ON;
iRtn = ldap_set_option(ld, LDAP_OPT_SSL, &ul);
if (iRtn != LDAP_SUCCESS)
FatalExit();
}
Msg("Setting cert callback");
ldap_set_option(ld, LDAP_OPT_SERVER_CERTIFICATE, &VerifyCert); // <<<
THIS BIT HERE
// Connect to the server.
Msg("Connecting...");
connectSuccess = ldap_connect(ld, NULL);
if(connectSuccess == LDAP_SUCCESS)
Msg("ldap_connect succeeded");
else
{
Msg("ldap_connect failed with " +
GetLDAPErrorString(connectSuccess));
FatalExit();
}
// Bind with current credentials.
Msg("Binding...");
// More guff for binding etc. follows but isn't relevant to you....
}
If I don't use the botch, I get Server Down as the result. Any
suggestions? All the other posts and sources I've seen tend to just
return the equivalent of TRUE for a server certificate verification
function. (For example, the post at
http://groups.google.co.uk/group/microsoft.public.platformsdk.active.dir
ectory/browse_thread/thread/fc85205d5790eb66/ab275d627d4673c5?lnk=st&q=L
DAP_OPT_SERVER_CERTIFICATE&rnum=7&hl=en#ab275d627d4673c5)
How do I get decent certificate verification? Any tips or
pointers/locations?
Thanks in advance
Rich --- You are currently subscribed to [email protected] as:
[EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED]
with the word UNSUBSCRIBE as the SUBJECT of the message.
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
