Howard Chu wrote:
> [email protected] wrote:
>> Divyanshi Chauhan <[email protected]>
>> 1:33 PM (3 hours ago)
>> to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner
>>
>> Hello,
>>
>> I have an ldaps client code which connects to the ldap server securely and
>> does authentication.
>>
>> I have set the global option for ca cert directory.
>> int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE,
>> const_cast<char*>("path"));
>> Correct certificate is present in the path and hence connection to the ldap
>> server and authentication is successful in first attempt.
>>
>> Now, as per one of the requirements, the certificate is removed from the
>> above client directory and authentication is attempted, we want it to fail
>> as the certificate is deleted from the directory. But still the bind to ldap
>> server and authentication is happening successfully. It should ideally fail
>> as per my understanding.
>>
>> I did try removing the certificate from memory using following option:
>> char * crt;
>> ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt);
>> ldap_memfree(crt);
>> I am not sure if the above way is correct or not, please advise.
>
> No. Instead you should reinitialize the TLS Context. Use
> ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, 0);
Correction:
int is_server = 0;
ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, &is_server);
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
