ldap_set_option()不设置选项“LDAP_OPT_SSL”
[英]ldap_set_option() is not setting the option “LDAP_OPT_SSL”
问题描述
I have a windows application that is trying to connect to ldap server running on secured port 10636. 
我有一个Windows应用程序,试图连接到在安全端口10636上运行的ldap服务器。
Here's the source: 来源:
#include "windows.h"
#include "ntldap.h"
#include "winldap.h"
#include "schnlsp.h"
#include "stdio.h"
#include "tchar.h"
const size_t newsize = 100;
// Entry point for your application
int main(int argc, char* argv[])
{
LDAP* pLdapConnection = NULL;
INT returnCode = 0;
INT connectSuccess = 0;
ULONG version = LDAP_VERSION3;
SecPkgContext_ConnectionInfo sslInfo;
LONG lv = 0;
// Initialize an LDAP session using SSL.
pLdapConnection = ldap_sslinit("localhost",10636,1);
if (pLdapConnection == NULL)
{
printf( "ldap_sslinit failed.\n");
return -1;
}
// Specify version 3; the default is version 2.
printf("Setting Protocol version to 3.\n");
returnCode = ldap_set_option(pLdapConnection,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
if (returnCode != LDAP_SUCCESS)
goto FatalExit;
// Verify that SSL is enabled on the connection.
printf("Checking if SSL is enabled\n");
returnCode = ldap_get_option(pLdapConnection,LDAP_OPT_SSL,(void*)&lv);
if (returnCode != LDAP_SUCCESS)
goto FatalExit;
// If SSL is not enabled, enable it.
if ((void*)lv == LDAP_OPT_ON)
printf("SSL is enabled\n");
else
{
printf("SSL not enabled.\n SSL being enabled...\n");
returnCode = ldap_set_option(pLdapConnection,LDAP_OPT_SSL,LDAP_OPT_ON);
if (returnCode != LDAP_SUCCESS)
goto FatalExit;
}
// Connect to the server.
connectSuccess = ldap_connect(pLdapConnection, NULL);
if(connectSuccess == LDAP_SUCCESS)
printf("ldap_connect succeeded \n");
else
{
printf("ldap_connect failed with 0x%x.\n",connectSuccess);
goto FatalExit;
}
// Bind with current credentials.
printf("Binding ...\n");
returnCode = ldap_bind_s(pLdapConnection,NULL,NULL,LDAP_AUTH_NEGOTIATE);
if (returnCode != LDAP_SUCCESS)
goto FatalExit;
// Retrieve the SSL cipher strength.
printf("Getting SSL info\n");
returnCode = ldap_get_option(pLdapConnection,LDAP_OPT_SSL_INFO,&sslInfo);
if (returnCode != LDAP_SUCCESS)
goto FatalExit;
printf("SSL cipher strength = %d bits\n",sslInfo.dwCipherStrength);
goto NormalExit;
// Perform cleanup.
NormalExit:
if (pLdapConnection != NULL)
ldap_unbind_s(pLdapConnection);
return 0;
// Perform cleanup after an error.
FatalExit:
if( pLdapConnection != NULL )
ldap_unbind_s(pLdapConnection);
printf( "\n\nERROR: 0x%x\n", returnCode);
return returnCode;
}
After setting the ldap_set_option(pLdapConnection,LDAP_OPT_SSL,LDAP_OPT_ON); 设置ldap_set_option(pLdapConnection,LDAP_OPT_SSL,LDAP_OPT_ON); , the application is still not able to set the option. ,应用程序仍然无法设置该选项。 Hence, the connection fails with return code LDAP_SERVER_DOWN . 因此,连接失败,返回码为LDAP_SERVER_DOWN 。
Can someone point why it is not able to set the option? 有人可以指出为什么它无法设置该选项吗? The server does support ldaps:// connections. 服务器确实支持ldaps://连接。
UPDATE: When I did ldapsearch on the ldap server 更新:当我在ldap服务器上执行ldapsearch时
ldapsearch -x -H ldaps://localhost -p 10636 -d 1
I got the error: 我得到了错误:
ldap_url_parse_ext(ldaps://localhost:10636)
ldap_create
ldap_url_parse_ext(ldaps://localhost:10636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:10636
ldap_new_socket: 472
ldap_prepare_socket: 472
ldap_connect_to_host: Trying ::1 10636
ldap_pvt_connect: fd: 472 tm: -1 async: 0
attempting to connect:
connect errno: 10061
ldap_close_socket: 472
ldap_new_socket: 472
ldap_prepare_socket: 472
ldap_connect_to_host: Trying 127.0.0.1:10636
ldap_pvt_connect: fd: 472 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /C=US/O=ASF/OU=ApacheD
S/CN=zanzibar, issuer: /C=US/O=ASF/OU=ApacheDS/CN=zanzibar
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cert
ificate verify failed (self signed certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
However, after adding "TLS_REQCERT never" to ldap.conf everything started working. 但是,在ldap.conf中添加“ TLS_REQCERT从不”后,所有内容都开始工作。
Now, How to make my sample program skip "TLS certificate verification"? 现在, 如何使我的示例程序跳过“ TLS证书验证”?
1 个解决方案
解决方案1
-1 2014-01-17 16:31:10
Try to pass the following environment variable to your code: 尝试将以下环境变量传递给您的代码:
LDAPTLS_REQCERT=never
to ignore server certificate which could be expired or invalid. 忽略可能过期或无效的服务器证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.