问题
I am working on a website which is used to reset password of LDAP users. I am not able to make connection with server over ssl. I tried various code and authentication types.
This is what used on server for connectivity with LDAP on which website is hosted. I also tested it with both ssl ports. 636 and 3269.
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity?, NEGOTIATE (1158)); v.3
{NtAuthIdentity?: User='_ldapuser'; Pwd='unavailable';; domain = 'SJTPNOC.DOMAIN'}
I am using following code in website
LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier("SJTP.DOMAIN",636));
connection.SessionOptions.ProtocolVersion = 3;
connection.AuthType = AuthType.Basic;
connection.Credential = new NetworkCredential("CN=user,CN=Users,DC=SJTPNOC,DC=DOMAIN", "password","CN=Users,DC=SJTPNOC,DC=DOMAIN");
connection.SessionOptions.SecureSocketLayer=true;
connection.Bind();
Getting exception "LDAP server is unavailable". I tried that code with 389 port and without ssl and it's working fine.
Please let me know what is wrong.
回答1:
If you only want encryption and do not need strong authentication of the ldap server, maybe you should add :
connection.SessionOptions.VerifyServerCertificate =
new VerifyServerCertificateCallback((con, cer) => true);
回答2:
I also had a problem connecting via SSL, but not over plaintext. I did some network sniffing and was able to see that although I set the LdapConnection.AuthType to Basic, my client machine was finding and using client certificates for the SSL handshake. The certificate it found (don't know if I should be mad at VisualStudio or the .NET LdapConnection class) was a cheesy self-signed cert that the LDAP server did not like. It returned a very secure "server unavailable" error; good for it. So there is a client certificate resolver delegate in the SessionOptions I needed to provide with a very simple implementation:
public static X509Certificate ClientCertFinder(LdapConnection connection,
byte[][] trustedCAs)
{
return null;
}
Then, set the SessionOptions QueryClientCertificateCallback delegate to use the stub like this:
connection.SessionOptions.QueryClientCertificate =
new QueryClientCertificateCallback(ClientCertFinder);
You could probably even make this a oneliner as in @jbl's answer for the validation callback, but maybe some day I'll want to do client-certificate-authentication, and having that stub serves as a reminder for how to do it.
来源:https://stackoverflow.com/questions/12621256/connect-to-open-ldap-over-ssl