System.DirectoryServices.Protocols StartTransportLayerSecurity Pro

C

CryptoFun

Hi,

There is a problem in 'System.Directory.Protocols' using the
LDAPSessionOptions function StartTransportSecurityLayer when using it with an
openLDAP server.

The call works fine with Active Direcotory on port 389 were the call
initiates a 'startTLS' LDAP command that starts TLS on the normally clear
port 389.

Unfortionately when this is used with an openLDAP server the LDAP 'startTLS'
command fails.

This issue has been documented at the openLDAP site and is described at:
http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html

There is a change that can be made to openLDAP source code file 'starttls.c'
that will solve the problem but the protocol problem is actually on the
Microsoft side.

There was also apparently a Microsoft hotfix for this issue on XP, windows
2000 and Windows 2003 which is located at:

http://support.microsoft.com/kb/841461/

it is titled 'An extended operation that is sent to an LDAP server by API
over the LDAP service causes a protocol error'.

The problem is that this same issue is occuring in the .NET
'System.Directory.Protocols' using the LDAPSessionOptions function
StartTransportSecurityLayer when using it with an openLDAP server.

It looks like the problem may have been fixed in pre .NET code but not in
..NET.

Does anyone know if this will be corrected or if there is a Microsoft fix
for the .NET code?

Thanks and Regards,
CryptoIsFun
 
N

Nicholas Paldino [.NET/C# MVP]

Have you gone to the Microsoft Connect site and filed a bug? That site
is tied directly into the bug system at MS, so if you put it there, you will
have a MUCH better chance of a set of eyes getting on it that can actually
make a change.

Once you set up the case (or find one and verify it) you can post the
link to have others weigh in on it as well.
 
W

Willy Denoyette [MVP]

CryptoFun said:
Hi,

There is a problem in 'System.Directory.Protocols' using the
LDAPSessionOptions function StartTransportSecurityLayer when using it with
an
openLDAP server.

The call works fine with Active Direcotory on port 389 were the call
initiates a 'startTLS' LDAP command that starts TLS on the normally clear
port 389.

Unfortionately when this is used with an openLDAP server the LDAP
'startTLS'
command fails.

This issue has been documented at the openLDAP site and is described at:
http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html

There is a change that can be made to openLDAP source code file
'starttls.c'
that will solve the problem but the protocol problem is actually on the
Microsoft side.

There was also apparently a Microsoft hotfix for this issue on XP, windows
2000 and Windows 2003 which is located at:

http://support.microsoft.com/kb/841461/

it is titled 'An extended operation that is sent to an LDAP server by API
over the LDAP service causes a protocol error'.

The problem is that this same issue is occuring in the .NET
'System.Directory.Protocols' using the LDAPSessionOptions function
StartTransportSecurityLayer when using it with an openLDAP server.

It looks like the problem may have been fixed in pre .NET code but not in
.NET.
Click to expand...

What do you mean with pre .NET code?, the KB841461 article is not talking
about pre .NET code, the fix applies to wldap32.dll which is exactly the
code that get's called by 'System.Directory.Protocols', so if your problem
is related to this KB article it should be fixed by applying the fix (W2K) ,
or by applying XP SP2 or W2K3 SP1. So the question is, did you apply the fix
or are you running XP SP2 or W2K3 SP1?


Willy.
 
C

CryptoFun

Hi Willy,

Thanks for your helpful reply.
Yes I am running XP SP 2 and the version of Wldap32.dll is after the Hot Fix
I mentioned.

It looks like the problem using 'startTLS' from a Microsoft client with
openLDAP has not been corrected by Microsoft.

I had a great suggestion from Joe Kaplan on the ADSI discussion group to try
the tool ldp.exe and use the startTLS option which calls the Wldap32.dll
functionality for startTLS.

The results were:

1. Active Directory - Works fine (of course)
2. A patched version of openLDAP (starttls.c modified) - Works Fine
3. A non-patched version of openLDAP (starttls.c NOT modifed) - Fails startTLS

The description of the Hot Fix led me to believe that it should fix the
problem. I also thought that the SDS.P code actually did all the work for the
StartTransportSecurityLayer call, but as you and Joe pointed out, it doesn't
but calls the Wldap32.dll to perform that function.

My conclusion is that the problem still exists so I need to try to get
Microsoft to take a look at it...

Thanks again for your helpfull reply!
Regards,
CryptoFun
 
C

CryptoFun

Hi Nicholas,

Thanks for the good suggestion.

It looks like the hot fix I mentioned doesn't actually correct the problem
so it still appears to be a bug!

Thanks and Regards,
CryptoFun


Nicholas Paldino said:
Have you gone to the Microsoft Connect site and filed a bug? That site
is tied directly into the bug system at MS, so if you put it there, you will
have a MUCH better chance of a set of eyes getting on it that can actually
make a change.

Once you set up the case (or find one and verify it) you can post the
link to have others weigh in on it as well.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

CryptoFun said:
Hi,

There is a problem in 'System.Directory.Protocols' using the
LDAPSessionOptions function StartTransportSecurityLayer when using it with
an
openLDAP server.

The call works fine with Active Direcotory on port 389 were the call
initiates a 'startTLS' LDAP command that starts TLS on the normally clear
port 389.

Unfortionately when this is used with an openLDAP server the LDAP
'startTLS'
command fails.

This issue has been documented at the openLDAP site and is described at:
http://www.openldap.org/lists/openldap-bugs/200405/msg00096.html

There is a change that can be made to openLDAP source code file
'starttls.c'
that will solve the problem but the protocol problem is actually on the
Microsoft side.

There was also apparently a Microsoft hotfix for this issue on XP, windows
2000 and Windows 2003 which is located at:

http://support.microsoft.com/kb/841461/

it is titled 'An extended operation that is sent to an LDAP server by API
over the LDAP service causes a protocol error'.

The problem is that this same issue is occuring in the .NET
'System.Directory.Protocols' using the LDAPSessionOptions function
StartTransportSecurityLayer when using it with an openLDAP server.

It looks like the problem may have been fixed in pre .NET code but not in
.NET.

Does anyone know if this will be corrected or if there is a Microsoft fix
for the .NET code?

Thanks and Regards,
CryptoIsFun
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DirectorySearcher.FindOne() failure on W2K3.... 6
ldap 2
The message could not be sent. 1
ldap_get_values returns NULL when attribute got more then 1000 values. 3
Windows XP LDAP Domain Issues 7
Why is LdapConnection.Bind() slow on a server? 0
ADAM user SetOption, SetPassword having exception HRESULT: 0x80005008 3
Having Trouble sending and recieving 2

Top