New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAPS not possible with MAC and Windows with Certificate-Based Authentication #9641
Comments
Update: I installed latest version on my Mac.curl/libcurl version
what I got
operating systemMacOS 12.6 (21G115) |
The Windows build is using the Windows system LDAP library It means OpenSSL (or it's specific version) is most likely not a factor here. |
@vszakats thank you for your quick response. Do you have any idea why we got a successful call on MAC with version 7.84 but not with the current version 7.85? |
@kheinrich188 I had only been using LDAPS without cert-based-auth, so can't offer much hints. But, can you try if the curl 7.84.0 Windows build also reproduces the issue? You can find it here: https://curl.se/windows/dl-7.84.0_9/ Mac uses OpenLDAP with a different TLS stack, so the codepath is completely different from the Windows case. |
@vszakats Thank you again for your quick reply!
For the Mac Topic: |
@kheinrich188 No worries at all. If this doesn't work with any recent curl + WinLDAP combos, we can rule out a curl regression. Skimming curl sources, I can't find a place where the cert / key is passed to WinLDAP. Nor much evidence that WinLDAP can accept one. Maybe it's done outside an API with the system certificate store? [ With some luck, it's possible to revert the Homebrew formula ( |
@vszakats Mac: |
@kheinrich188 👍 for the Mac. Good find with the Windows API! The page says [ Yesterday I did |
Thank you very much for your feedback. |
Hello, just wanted to comment that this issue exists for me on RHEL8 as well, with both 7.84, 7.85, and 7.86. The previous version I had installed was 7.78 and it works. 7.78 calls ldap_result in oldap_recv with LDAP_MSG_RECEIVED and subsequently loops through all messages, while later versions (not sure when it was changed) call ldap_result with LDAP_MSG_ONE, and set the result from oldap_recv to CURLE_AGAIN, indicating more stuff (the result msg) is still expected. But nothing interprets that result so curl just sits forever unless max-time is set on the call. There may be more than one way to fix it, but if CURLE_AGAIN is checked at the end of the do loop in readwrite_data, or if conn->cselect_bits is set to CURL_CSELECT_IN in oldap_recv after processing the ldap entry message, oldap_recv will get called again and pull in the result message. I couldn't see how to get it working otherwise. For 7.85 and 86, it's the same, but you now have to define export USE_OPENLDAP=1 in either CFLAGS or CPPFLAGS before running configure in order for the oldap modules in openldap.c to be executed. It used to be the default but I think it was changed for 7.85. The default now is for the path to go through ldap.c, and, for me, at the moment, that same curl call results in the "bind via ldap_simple_bind_s Can't contact LDAP server" message. I haven't done much to trace it out, but I think it may have to do with the CA's - not sure yet. My plan is to deploy 7.86 with USE_OPENLDAP=1 until I can get the ldap.c path working. |
I did this
I expected the following for Windows
Output of the same URL Request with Mac (version listed below):
curl/libcurl version (Windows)
curl/libcurl version (Mac) (working version)
operating system
Microsoft Windows 10 Enterprise N
10.0.19044 Build 19044
The text was updated successfully, but these errors were encountered: