Memory leaks while using Microsoft LDAP C API with the LDAP_OPT_CLIENT_CERTIFICATE

Tech-Archive recommends: Speed Up your PC by fixing your registry

---

• From: hagaiy@xxxxxxxxx
• Date: 5 Oct 2006 09:33:42 -0700

---

Hello,

I am using Microsoft LDAP C API on windows 2003 server to work with
remote LDAP directories (active directory, Sun One, etc...), I want to
use SSL connection with the directories.

I have used code from the MSDN and it worked correctly, how ever I have
encountered cases in which the LDAP API tried to perform client
authentication in the SSL handshake (I saw this happening when I had
certificates in the local certificates store that were signed by the
same CA that signed the certificate of the relevant directory server),
I would like to avoid this behavior, I want to make sure that SSL
client authentication will never occur.

in order to achieve this I tried using the LDAP_OPT_CLIENT_CERTIFICATE
session option, I have set a callback function that always return
FALSE, this way there will be no client certificate available for the
SSL client authentication and my target will be achieved.

This worked for me, everything worked ok but I noticed that the memory
consumption of my application is continuously rising. I don't know if
I am making a mistake in the usage or maybe not releasing something
that I need to release.

I have created a short example program (based on the program from the
MSDN) that performs SSL connections to a directory server in an
infinite loop, the memory consumption of this program is continuously
rising.

Does any one have nay idea what is the problem with my program?

Thanks,
Hagai.

Example program:

#include <windows.h>
#include <ntldap.h>
#include <winldap.h>
#include <schnlsp.h>
#include <stdio.h>

BOOLEAN _cdecl GetClientCertRoutine(void *Connection,
void *trusted_CAs,
void *ppCertificate) {
return (FALSE);
}

int main(int argc, char* argv[])
{
LDAP* ld = NULL;
INT iRtn = 0;
INT connectSuccess = 0;
PCHAR pHost = NULL;
ULONG version = LDAP_VERSION3;
SecPkgContext_ConnectionInfo sslInfo;
LONG lv = 0;

// Verify that the user passed a hostname.
if (argc > 1)
{
pHost = argv[1];
printf("\nConnecting to host \"%s\" ...\n",pHost);
}
// If not, perform a 'serverless' bind.
else
{
pHost = NULL;
printf("\nConnecting to DEFAULT LDAP host ...\n");
}

while (1) {
// Create an LDAP session.
ld = ldap_sslinit(pHost,LDAP_SSL_PORT,1);
if (ld == NULL)
{
printf( "ldap_sslinit failed with 0x%x.\n",GetLastError());
return -1;
}

// Specify version 3; the default is version 2.
printf("Setting Protocol version to 3.\n");
iRtn = ldap_set_option(ld,
LDAP_OPT_PROTOCOL_VERSION,
(void*)&version);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;

// setting function to avoid client authetication
printf("Setting function to avoid client authentication.\n");
iRtn = ldap_set_option(ld,
LDAP_OPT_CLIENT_CERTIFICATE,
&GetClientCertRoutine);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;

// Verify that SSL is enabled on the connection.
// (returns LDAP_OPT_ON/_OFF).
printf("Checking if SSL is enabled\n");
iRtn = ldap_get_option(ld,LDAP_OPT_SSL,(void*)&lv);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;

// If SSL is not enabled, enable it.
if ((void*)lv == LDAP_OPT_ON)
printf("SSL is enabled\n");
else
{
printf("SSL not enabled.\n SSL being enabled...\n");
iRtn = ldap_set_option(ld,LDAP_OPT_SSL,LDAP_OPT_ON);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;
}

// Connect to the server.
connectSuccess = ldap_connect(ld, NULL);

if(connectSuccess == LDAP_SUCCESS)
printf("ldap_connect succeeded \n");
else
{
printf("ldap_connect failed with 0x%x.\n",connectSuccess);
goto FatalExit;
}

// Bind with current credentials.
printf("Binding ...\n");
iRtn =
ldap_bind_s(ld,"cn=administrator,cn=users,dc=infradc,dc=com","Local",LDAP_AUTH_SIMPLE);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;

// Retrieve the SSL cipher strength.
printf("Getting SSL info\n");
iRtn = ldap_get_option(ld,LDAP_OPT_SSL_INFO,&sslInfo);
if (iRtn != LDAP_SUCCESS)
goto FatalExit;

printf("SSL cipher strength = %d
bits\n",sslInfo.dwCipherStrength);

goto NormalExit;

// Cleanup.
NormalExit:
if (ld != NULL) {
ldap_unbind_s(ld);
continue;
}

// Cleanup after an error.
FatalExit:
if( ld != NULL )
ldap_unbind_s(ld);
printf( "\n\nERROR: 0x%x\n", iRtn);
break;
}
}

.

---

• Follow-Ups:
  • Re: Memory leaks while using Microsoft LDAP C API with the LDAP_OPT_CLIENT_CERTIFICATE
    • From: Joe Richards [MVP]

• Prev by Date: Re: AD DB - [WP]
• Next by Date: how to handle password via LDAP ?
• Previous by thread: Re: AD DB - [WP]
• Next by thread: Re: Memory leaks while using Microsoft LDAP C API with the LDAP_OPT_CLIENT_CERTIFICATE
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Antw: Re: LDAP Authentication Problem ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ... (de.comp.sys.novell) Re: possible LDAP over SSl bug in OS 10, 10.4, 10.5, 10.6 ... These were both LDAP over SSL issues. ... > would access a LDAP server over SSL. ... > nca = without Certificate Authority certificate installed for the ldap ... (microsoft.public.mac.office.entourage) Redhat linux ldap ssl client config ... I have a redhat ldap client working against a Sun ldap server 5.2. ... Running into issues trying to get tls and/or ssl working. ... (comp.os.linux.setup) slapd - slow starting ... contact LDAP server ... then slapd started fine but I without ldap in nsswitch.conf I cant ... # The user ID attribute (defaults to uid) ... # SSL enabled. ... (freebsd-stable) openldap, pam_ldap and nss_ldap ... I am having difficulties setting up openldap user authentication using ... (but he was using the native sun ldap clients) ... # with Netscape Directory Server) ... # Netscape SDK SSL options ... (SunManagers)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-10