tags:

views:

158

answers:

1
Q: 

LDAP over SSL on windows service

Hi, I have an application that connects to an LDAP server using SSL. The problem I'm having is that when I run it as a console application it connects successfully, but when I run the application as a windows service, it fails.

There is some information that could help:

  • ldap_sslinit ALLWAYS returns success

1 ldap_connect = 0 (Success) with all the LDAP ports running as APPLICATION under user ADMINISTRATOR tested ports 389,3268 without ssl and 636,3269 with SSL 2 ldap_connect = 0 (Success) running as service with port 389 or 3268 3 ldap_connect = 81 (Not connected) running AS SERVICE with ports 636 or 3269 We tested the service running under user administrator and also tested under other special user agent with all the permisions

  • We enabled some Log on as service permissions, and others without success.
  • We also added the certificates to local machine , and to the service user

Example of the test

pLdapConnection = ldap_sslinit((PWCHAR)ldap_host.c_str(), ldap_port,1); // Secure LDAP 
// allways return success
ldap_set_option(pLdapConnection, LDAP_OPT_SSL, LDAP_OPT_ON); // set SSL option
ldap_set_option(pLdapConnection, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); // required  
result = ldap_connect(pLdapConnection, &timeout);

result = LDAP_SERVER_DOWN (0x51)

I appreciate any help you can give me.

A: 

What account is the service running under? Is it a specific domain user that has access to the LDAP server? You might want to set the SPNs on the LDAP server as well; I've had double-hop token problems before with authentication.

Don  2010-01-07 17:16:09
Here is more info...Run Service as: local user, administrator, ezbio-agent user.Changes in Group Policy Properties: add Logon as Service permissions to administrator, guest, etc.... dsHeuristics=0000002 DN Security Permissions: Add Guest, Add Anonymous Logon, Add Network Service, Add Local Serviceezbio-agent special user created to run the agent with all the permissions for everything
evargas  2010-01-07 17:23:01
So, you run it from the console you can connect over SSL or unencrypted (which I assume you are doing using 1 or 0 in the last parameter of ldap_sslinit), but running as a service as the same user you can only connect unencrypted? If it was an untrusted CA, it shouldn't matter how it's run. I can't think of a reason why it should matter.
Don  2010-01-07 18:07:30

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS