Thema: Delphi Umstellung LDAP auf SSL/TLS

Einzelnen Beitrag anzeigen

Kas Ob.

Registriert seit: 3. Sep 2023
346 Beiträge
 
#10

AW: Umstellung LDAP auf SSL/TLS

  Alt 21. Mai 2024, 13:30
Hi again,

with this code which is the same as mine above with one addition the connect
markieren
Code:
procedure TForm10.LDAPConnect;
var
  pConn: PLDAP;
  Version: NativeUInt;
  CurrVer: NativeUInt;
  TimeOut: TLDAPTimeVal;
begin
  pConn := ldap_sslinit('127.0.0.1', LDAP_SSL_PORT, 1);
 // pConn := ldap_init('localhost', LDAP_PORT);
  if not Assigned(pConn) then
    Exit;

  try
    Version := LDAP_VERSION3;
    if ldap_set_option(pConn, LDAP_OPT_PROTOCOL_VERSION, @Version) <> LDAP_SUCCESS then
      Exit;
    if ldap_get_option(pConn, LDAP_OPT_SSL, @CurrVer) <> LDAP_SUCCESS then
      Exit;
    Memo1.Lines.Add('Current SSL status : ' + BoolToStr(CurrVer <> 0, true));

    if CurrVer = NativeUInt(LDAP_OPT_OFF) then
    begin
      CurrVer := NativeUInt(LDAP_OPT_ON);
      if ldap_set_option(pConn, LDAP_OPT_SSL, @CurrVer) <> LDAP_SUCCESS then
        Exit;
    end;

    // check again
    if ldap_get_option(pConn, LDAP_OPT_SSL, @CurrVer) <> LDAP_SUCCESS then
      Exit;
    Memo1.Lines.Add('Current SSL status : ' + BoolToStr(CurrVer <> 0, true));

    TimeOut.tv_sec := 5;
    TimeOut.tv_usec := 0;
    if ldap_connect(pConn, @TimeOut) <> LDAP_SUCCESS then
      begin
        Memo1.Lines.Add('ldap_connect failed');
        Exit;
      end;

    Memo1.Lines.Add('Connected');

    Memo1.Lines.Add('Success');
  finally
    ldap_unbind_s(pConn);
  end;
end;
Also i installed Active Directory LightWeight Directory Service from Windows Features
ads.png

Now the result also failed to connect still, because i didn't configure any certificate and not sure about what account i allowed as i clicked next ,next ....
But from Wireshark the connection is established with TLS v1.2 and a Client Hello is sent from the app to ADS server but the server abruptly closed the connection, this is a symptom when the server doesn't have a valid certificate, i don't want to go through issuing a certificate for many reasons but the biggest one is i don't have a valid domain or a have access to real AD server on Windows OS server to issue trusted one.
Wireshark :
2024-05-21-14_23_58-untitled.jpg

So i suggest to use wireshark to check if SSL/TLS is enabled instead of depending on LDAP_OPT_SSL, i doubt it might refer to client side certificate verification instead of what you think of the connection is TLS.

See, using ldap_sslinit is already indicating the secure connection, so LDAP_OPT_SSL might not be the indicator, but again i might be wrong here, or may be it is reserved when using ldap_init instead of ldap_sslinit, i don't know.
Kas
  Mit Zitat antworten Zitat