I'm trying make an authentication service with LDAP and TLS using http://www.github.com/mavricknz/ldap When I use only basic authentication using the following code, everything works just fine.
conn := ldap.NewLDAPConnection(ldapHost, ldapPort)
conn.NetworkConnectTimeout = time.Duration(ldapConnTimeout) * time.Millisecond
conn.ReadTimeout = time.Duration(ldapReadTimeout) * time.Millisecond
if err := conn.Connect(); err != nil {
log.Println(err)
resp.WriteHeader(http.StatusInternalServerError)
return
}
defer conn.Close()
// bind to ldap
if err := conn.Bind(username, password); err != nil {
ldaperr := err.(*ldap.LDAPError)
if ldaperr.ResultCode == ldap.LDAPResultInvalidCredentials {
resp.Header().Set("WWW-Authenticate", `Basic realm="Item Codes Database"`)
resp.WriteHeader(http.StatusUnauthorized)
} else {
log.Println(err)
resp.WriteHeader(http.StatusInternalServerError)
}
return
}
but when I try to applying TLS to my code by changing
conn := ldap.NewLDAPConnection(ldapHost, ldapPort)
to
ldap.NewLDAPTLSConnection(ldapHost, ldapPort, &tls.Config{})
It gives me an error LDAP Result Code 201 "ErrorNetwork": Invalid packet format. That error comes from method conn.Connect() which when I dig into it, it didn't even reach the point where the TLS config or TLS flag has been used.
Ok, I've found my solution. I need to change the port from ldap's 389 to ldaps' 636 because we use TLS protocol. And I also has to use method NewLDAPSSLConnection instead to establish an implicit TLS connection.
I'm not sure why NewLDAPTSLConnection does not work. It use explicit TLS which require us to establish a normal connection first (which use port 389) and then attempt to start TLS over that connection.