I am using Microsoft LDAP C API on windows 2003 server to work with
remote LDAP directories (active directory, Sun One, etc...), I want to
use SSL connection with the directories.
I have used code from the MSDN and it worked correctly, how ever I have
encountered cases in which the LDAP API tried to perform client
authentication in the SSL handshake (I saw this happening when I had
certificates in the local certificates store that were signed by the
same CA that signed the certificate of the relevant directory server),
I would like to avoid this behavior, I want to make sure that SSL
client authentication will never occur.
in order to achieve this I tried using the LDAP_OPT_CLIENT_CERTIFICATE
session option, I have set a callback function that always return
FALSE, this way there will be no client certificate available for the
SSL client authentication and my target will be achieved.
This worked for me, everything worked ok but I noticed that the memory
consumption of my application is continuously rising. I don't know if
I am making a mistake in the usage or maybe not releasing something
that I need to release.
I have created a short example program (based on the program from the
MSDN) that performs SSL connections to a directory server in an
infinite loop, the memory consumption of this program is continuously
rising.
Does any one have nay idea what is the problem with my program?
Thanks,
Hagai.
Example program:
#include <windows.h>
#include <ntldap.h>
#include <winldap.h>
#include <schnlsp.h>
#include <stdio.h>
BOOLEAN _cdecl GetClientCertRoutine(void *Connection,
void *trusted_CAs,
void *ppCertificate) {
return (FALSE);
}
int main(int argc, char* argv[])
{
LDAP* ld = NULL;
INT iRtn = 0;
INT connectSuccess = 0;
PCHAR pHost = NULL;
ULONG version = LDAP_VERSION3;
SecPkgContext_ConnectionInfo sslInfo;
LONG lv = 0;
// Verify that the user passed a hostname.
if (argc > 1)
{
pHost = argv[1];
printf("\nConnecting to host \"%s\" ...\n",pHost);
}
// If not, perform a 'serverless' bind.
else
{
pHost = NULL;
printf("\nConnecting to DEFAULT LDAP host ...\n");
}
while (1) {
// Create an LDAP session.
ld = ldap_sslinit(pHost,LDAP_SSL_PORT,1);
if (ld == NULL)
{
printf( "ldap_sslinit failed with 0x%x.\n",GetLastError());
return -1;
}
// Specify version 3; the default is version 2.
printf("Setting Protocol version to 3.\n");
iRtn = ldap_set_option(ld,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
// setting function to avoid client authetication
printf("Setting function to avoid client authentication.\n");
iRtn = ldap_set_option(ld,
LDAP_OPT_CLIENT_CERTIFICATE,
&GetClientCertRoutine);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
// Verify that SSL is enabled on the connection.
// (returns LDAP_OPT_ON/_OFF).
printf("Checking if SSL is enabled\n");
iRtn = ldap_get_option(ld,LDAP_OPT_SSL,(void*)&lv);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
// If SSL is not enabled, enable it.
if ((void*)lv == LDAP_OPT_ON)
printf("SSL is enabled\n");
else
{
printf("SSL not enabled.\n SSL being enabled...\n");
iRtn = ldap_set_option(ld,LDAP_OPT_SSL,LDAP_OPT_ON);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
}
// Connect to the server.
connectSuccess = ldap_connect(ld, NULL);
if(connectSuccess == LDAP_SUCCESS)
printf("ldap_connect succeeded \n");
else
{
printf("ldap_connect failed with 0x%x.\n",connectSuccess);
goto FatalExit;
}
// Bind with current credentials.
printf("Binding ...\n");
iRtn =
ldap_bind_s(ld,"cn=administrator,cn=users,dc=infradc,dc=com","Local",LDAP_AUTH_SIMPLE);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
// Retrieve the SSL cipher strength.
printf("Getting SSL info\n");
iRtn = ldap_get_option(ld,LDAP_OPT_SSL_INFO,&sslInfo);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
printf("SSL cipher strength = %d
bits\n",sslInfo.dwCipherStrength);
goto NormalExit;
// Cleanup.
NormalExit:
if (ld != NULL) {
ldap_unbind_s(ld);
continue;
}
// Cleanup after an error.
FatalExit:
if( ld != NULL )
ldap_unbind_s(ld);
printf( "\n\nERROR: 0x%x\n", iRtn);
break;
}
}
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
I'd like to hear what comes out of this. I'll also poke around in the .NET
code and see if I can figure out what they do (if they do something
different).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:OSLibjN...@TK2MSFTNGP05.phx.gbl...
I will post back here when I know more.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
The leak I located in the source has been confirmed. A case has been
opened to correct the issue. If you want to pursue getting a QFE, you
can open a case with MSFT Support (should be free - this is a bug) and
have them ping the appropriate engineer. If you want to do that, email
me offline and I can supply you with the name of the engineer to give to
the support folks.
In the meanwhile, if you are ok with a workaround, here is some code
that will remove the leak for you.
BOOLEAN _cdecl GetClientCertRoutine(void *Connection,
void *trusted_CAs,
void *ppCertificate)
{
SecPkgContext_IssuerListInfoEx *p =
(SecPkgContext_IssuerListInfoEx *)trusted_CAs;
FreeContextBuffer((void*)p->aIssuers);
return (FALSE);
}
Note I simply added a couple of lines to release the memory allocated
for the trusted_CAs that are passed to you.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Thanks for the follow up. Any word on when this fix will get merged into
Windows? I'm guessing it is too late for Win2K3 SP2 and maybe Longhorn
Server (although I hope not). It isn't a huge big deal, but it should be
fixed.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:4526DDAF...@hotmail.com...
Thanks allot for your help clarifying the problem and the possible
solutions, currently I am not interested in pursuing a QFE.
Best Regards,
Hagai.