RE: [EXTERNAL] Unable to connect to 636 secure port using LDAP library

[Bradley T Gill]

Have you configured your certificate TrustStore to trust the Chain that signed 
the Certificate on LDAPS?

The trust should be defined the ldap.conf using TLS_CACERT

Bradley Gill

From: BANDANI MAHARANA <bandani.mahar...@gmail.com>
Sent: Thursday, August 11, 2022 2:50 PM
To: openldap-technical@openldap.org
Subject: [EXTERNAL] Unable to connect to 636 secure port using LDAP library

This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN 
attachments. If suspicious please click the 'Report to Incidents' button in 
Outlook or forward to incide...@aep.com<mailto:incide...@aep.com> from a mobile 
device.

Hi Team,
I am trying to connect to an Active directory server using 636 port for secure 
connection. I am using the openldap library to establish the connection.
Implementation is completed for insecure connection using 389 port. Below is 
the code snippet I am using to establish the connection with ldap server in 636 
port.

      LDAP * ldap_handler;
      int return_value = ldap_initialize(ldap_handler, 
"ldaps://TestServer.mylab.com:636<https://urldefense.com/v3/__http:/TestServer.mylab.com:636__;!!H3PqUTRkow!5XwTvAdX-76W7PZXtxr1m6uFTwF4LHIFgEqTfLRGdUbgDYOYq3vHb7GrGht4tpLy4utfByKHJVX_EBgymZLFKQ$>");
 //server url
        if (return_value == LDAP_SUCCESS) {
              cout<<"LDAP initialized successfully"; // this is successful for 
me
             } else {
             cout<<"LDAP initialization failed";
            }
      
      int return_value = ldap_set_option(*ldap_handler, 
LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
      if(return_value == LDAP_SUCCESS) {
            cout<<"success"; // this is successful for me
      } else {
            cout<<"failed";
      }
      
      const char * CACERT_FILE_PATH  = "certificate/mylab-TESTSERVER-CA.cer"; 
//certificate path
      int return_value1 = ldap_set_option(*ldap_handler, 
LDAP_OPT_X_TLS_CACERTFILE, CACERT_FILE_PATH);
      if (return_value1 == LDAP_SUCCESS) {
      
      } else {
          // its failing here with error -1, and error string "Can't contact to 
LDAP server"
      }
      
      int return_value = ldap_simple_bind_s(*ldap_handler, 
"mylab\administrator", ""pwd@1234");
      if (return_value == LDAP_SUCCESS) {
          //success
      } else {
          // its failing here with error -1, and error string "Can't contact to 
LDAP server"
      }
      
I have verified the same thing is working when connecting to 389 port.
Could you please suggest how to make this work for secure ldap connection over 
ssl? Please provide some examples or references. It will be helpful for me.

Thanks & Regards,
Bandani