[email protected] wrote:
> Divyanshi Chauhan <[email protected]>
> 1:33 PM (3 hours ago)
> to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner
>
> Hello,
>
> I have an ldaps client code which connects to the ldap server securely and
> does authentication.
>
> I have set the global option for ca cert directory.
> int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE,
> const_cast<char*>("path"));
> Correct certificate is present in the path and hence connection to the ldap
> server and authentication is successful in first attempt.
>
> Now, as per one of the requirements, the certificate is removed from the
> above client directory and authentication is attempted, we want it to fail as
> the certificate is deleted from the directory. But still the bind to ldap
> server and authentication is happening successfully. It should ideally fail
> as per my understanding.
>
> I did try removing the certificate from memory using following option:
> char * crt;
> ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt);
> ldap_memfree(crt);
> I am not sure if the above way is correct or not, please advise.
No. Instead you should reinitialize the TLS Context. Use
ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, 0);
>
> I also did try forcing to look for ca certificate using following option:
> int reqcert = LDAP_OPT_X_TLS_HARD;
> ldap_set_option(0, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);
> But this also did not help.
>
> Please suggest how a certificate, which is once loaded can be deleted from
> the openldap cache. Also please advise if I am doing something wrong in the
> above approach.
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
