Hi Dave
My example:
int ldap_conn(LDAP *conn,char *h,int p,char *dn, char *pwd, int ssl,
char *cafile)
{
int rc=0;
char* ldapuri=NULL;
int protocol=3;
LDAPURLDesc url;
memset( &url, 0, sizeof(url));
if (use_ssl) {
url.lud_scheme = "ldaps";
rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, cafile);
if ( rc != LDAP_OPT_SUCCESS ) {
/* Output error */
conn = NULL;
return 0;
}
} else {
url.lud_scheme = "ldap";
}
url.lud_host = h;
url.lud_port = p;
url.lud_scope = LDAP_SCOPE_DEFAULT;
ldapuri = ldap_url_desc2str( &url );
rc = ldap_initialize( &conn, ldapuri );
if( rc != LDAP_SUCCESS ) {
conn = NULL;
/* Output error */
return 0;
}
rc = ldap_simple_bind_s(conn,bind_dn,password);
if (rc != LDAP_SUCCESS) {
/* Output error */
conn = NULL;
return 0;
}
return 1;
}
As on the command line, you need to go by ldaps://url stuff in order to
do SSL. Then, it works without problems.
Dave Ewart wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've written the following example code to demonstrate a difficulty I am
having in coding LDAP connections over SSL:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ldap.h>
#include <lber.h>
int main() {
LDAP *ld;
int ret;
int version = 3;
char *ldaphost;
char *binddn;
char *bindpass;
ldaphost="ldap0.our.domain";
binddn="uid=anon,ou=People,dc=our,dc=domain";
bindpass="mypassword";
/* --------------------------------------------------------------------- */
/* Variant #1 - using LDAP unencrypted on port 389 */
if ((ld = ldap_init(ldaphost, LDAP_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret));
/* Returns 'Success', so far so good */
ldap_unbind(ld);
// tcpdump of above shows DN and password in the clear, as expected
/* -------------------------------------------------------------------- */
/* Variant #2 - using LDAP over TLS on port 389 */
if ((ld = ldap_init(ldaphost, LDAP_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_start_tls_s(ld, NULL, NULL);
if (ret != LDAP_SUCCESS) {
printf("ldap_start_tls() %s",ldap_err2string(ret));
}
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret));
/* Returns 'Success', so far so good */
ldap_unbind(ld);
// tcpdump of above shows presumably-encrypted traffic on port 389
/* ------------------------------------------------------------------ */
/* Variant #3 - using LDAP over SSL, port 636 */
if ((ld = ldap_init(ldaphost, LDAPS_PORT)) == NULL) {
perror("ldap_init"); /* no error here */
return(1);
}
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ldap_simple_bind_s(ld,binddn,bindpass);
printf("Returns: %s\n", ldap_err2string(ret));
/* **** ERROR: Returns "Can't contact LDAP server" **** */
// tcpdump of above shows absolutely *no* traffic on port 636 *at* *all*
/* --------------------------------------------------------------- */
/* ldapsearch -D "uid=anon,ou=People,dc=our,dc=domain" -H
* ldaps://ldap0.our.domain -W -x
*
* from the same system works absolutely fine */
/* --------------------------------------------------------------- */
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
What am I missing? The ldaps connection does not even seem to connect
at all - there's no traffic visible on a tcpdump whatsoever.
All help much appreciated,
Thanks,
Dave.
- --
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Cancer Epidemiology Unit
Cancer Research UK / Oxford University
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.our.domain/~davee/davee-our.domain.asc
N 51.7518, W 1.2016
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE/9AqbpQs/WlN43ARAvQwAKCx+RP7v8l1B8baLVNzXm7hBPbHsQCgxBYQ
Bf//hDqEz3W90AYxWBnaiKc=
=EMAp
-----END PGP SIGNATURE-----
