On getting OpenLDAP and Windows LDAP to interop Friday, Dec 18 2009 

Many Windows developers have a need of some sort to connect to OpenLDAP directory services.  Some use wldap32, others use the DirectoryServices namespace in .NET, others use custom libraries.  Myself, I’m writing an ASPX front-end to our FreeBSD LDAP directory service.

If you are one of the developers in the first two camps, you’ve probably been dumbfounded by one of these error messages:

  • An unexpected operation error occurred
  • A local error occurred
  • TLS negotiation failure

At first, I was inclined to believe this was due to the fact that MS wanted devs to stick with ADAM and not use OpenLDAP.  However, this is not the case.  Each error means something different, and I have workarounds now for all of them that fixes it.

An unexpected operations error occurred

My favourite.  This is due to an OpenLDAP bug that the developers won’t fix.  They have claimed that “Microsoft is the one that is broken by following RFC 2830″…yes, that’s right, an open-source project upset that MS is following an RFC.

Anyway, to fix it you need to apply a one-liner patch (thanks Kirill) to starttls.c, verified to work with OpenLDAP-2.4.19 and CVS HEAD as of this morning (GMT):

=============
--- orig/starttls.c	2004-01-01 21:15:32.000000000 +0200
+++ fixed/starttls.c	2004-05-27 14:14:54.000000000 +0300
@@ -94,6 +94,8 @@
     op->o_conn->c_is_tls = 1;
     op->o_conn->c_needs_tls_accept = 1;

+    rs->sr_rspoid = SLAP_STRDUP(LDAP_EXOP_START_TLS);
+
     rc = LDAP_SUCCESS;

 done:
=============

Recompile OpenLDAP with this change.  Your OpenLDAP is now RFC 2830 compliant and Microsoft APIs (and older Netscape and Novell APIs) can now connect and start TLS with it.

“But wait, Pongo,” you say.  “Now I’m getting a new error!”  Yes, because MS is strange about server certificate processing you will now receive:

A local error occurred (on the LDAP server, “TLS negotiation failure”)

You need the server certificate from the OpenLDAP server (see your slapd.conf file, under TLSCertificateFile.  Mine is in /etc/ssl/keys/ldap).

  1. Copy the file (named chicago-auth.crt in the example) to your Windows computer.
  2. Install the certificate (double-click it) to the Trusted Root Certificate Authorities store.  (I am not sure if this step is required or not.  It was for me for other reasons.)
  3. In your .NET application, add a code block similar to the following:
                lc.SessionOptions.VerifyServerCertificate = Ldap_ServCertCallback;  // Add this line BEFORE StartTLS call
                lc.SessionOptions.StartTransportLayerSecurity(null);

Your Ldap_ServCertCallback function should look something like this:

        private bool Ldap_ServCertCallback(LdapConnection connection, X509Certificate cert)
        {
            X509Certificate realchi = new X509Certificate("chicago-auth.crt");

            if (realchi.GetCertHashString() == cert.GetCertHashString())
                return true;
            else return false;
        }

That’s it. Your .NET application will now happily connect to your OpenLDAP server.

Note that I have not personally tested this workaround with wldap32 (I’m unsure how to set a VerifyServerCertificate callback and I don’t hack the Win32 API anymore anyway), but I have in .NET and it works in both Win32 and ASP.NET applications.

The case of the missing manager Monday, Dec 14 2009 

I was reading the awesome Screwed article on Rands In Repose when I finally realised what the problem I’m having at work is.

I have no manager telling me to get the hell going.

You see, like most startups, we have like…5 people on our team total.  And the problem is that most people think I’m the manager.  To outside people, it may look like it.  Well, actually, if I were to draw an org chart I’m probably the top of the development leaf.  The problem isn’t that I have no managerial experience.  The problem is nobody above me is pushing me to do anything and the developers below me don’t care about anything at all.  Things are starting to slow and stagnate.  The developers below me are pretty much not doing anything related to the project… they’re using the excuse that they are waiting on design specifications that I’m supposed to write.  The problem is I can’t write those specifications yet.  And for that we need to look at the org process and the use case specification.

Ah, the use case specification.  I slaved on that thing for 9 days getting it correct and making sure the “Product Champion” (fancy word our org. uses for product manager) had input because she’s the only person here who actually knows our users.  After it was finished I was to send it off to everyone in the team and get input.  This is part of the very little process we have; everyone has to approve a doc before we move to the next step.  And I think that’s reasonable with a 5 person dev team.  That was 19 June.

On 11 August the product champion finally read it.  Wait, what?  It took almost a month?!  She had a few corrections and additions that I added in about an hour.  I sent it off to everyone in the team again.  On 21 August (10 days later) one dev replied and had one small clarification.  There are still two people on our team that haven’t even opened the PDF.

Yes, there are two people on our team that haven’t opened the PDF after 6 months.  I will call this WTF #1.

Closely related is the fact that in the course of use case development I had to prototype two small features.  I used Visual C++ 2008 because they were related to the way Windows would handle things (it was ensuring that Windows would support multilingual support the way the product champion wanted it).  I raised a few questions and concerns to two members of the team and they went completely unnoticed.  It’s like nobody on the team but me even cares about this software.  I will call this WTF #2.

Anyway, back to the matter at hand.  I’m not supposed to write the design specification below use cases until all members of the team read the use case doc.  Obviously, it’s been 6 months and there are still members who haven’t.  I have gone ‘underground’ and started writing the other specifications actually at the request of the product champion, whom is just as concerned as I am that this is heading nowhere fast.  We don’t even have VCs or investors yet because we have nothing to invest in.  Now that’s all fine and dandy because we can get paid our half-salaries indefinitely as long as “financial” (if you can call one person who is basically investing her life in this business “financial”) continues to have money.  But the problem is I think this is giving everyone else on our team the feeling that we’re able to stagnate.  I mean, what’s the rush, we’re getting paid (even if it isn’t all of what we’re worth) and we don’t technically have to DO anything, we can just keep trodding along and never even make a product.  This is WTF #3 and it’s the biggest.  I think this team needs a HUGE shakeup.  I think it needs fire and determination.  And where do good teams get fire and determination from?

Leaders.  They get it from leaders.  And our team has none and I think that’s where the huge problem is.  We have nobody making us stay on schedule.  And do you know what’s worse than having a tight schedule where you know you won’t deliver?  We don’t have a schedule.  UM is quite content with “when it gets done, it gets done” — probably the worst schedule known to productive society because it’s far too open-ended.  We have another project… an embedded system that I can’t talk about because of NDAs.  And I see this project working and progressing and it’s almost ALMOST to the point of being able to have VCs and I am truly starting to wonder where the hell our team went on the radar of…everybody.

I should’ve left a long time ago.  And to be honest, I wish I could leave.  This is fruitless and getting nowhere fast, especially since it’s far too late to ask for new team members (and actually I know that I couldn’t get them anyway.  I’ve tried.) and I feel this is going to drag on forever.  My screw-i-tude is higher than anyone could imagine.  What I need right now is UM or a manager or ANYBODY to come and say to the entire team: “here’s a schedule, let’s take this software and GITFO the door”.

And before you tell me that I should be inspiring myself to do it, YOU inspire yourself after watching nothing happen for 6 months, no other orgs nearby to get a job with (a hick town, that’s what this is) and no schedule.  I’ve been fighting tooth and nail to get this project done since…09 December 2008 according to this document.  It’s getting increasingly harder to self-motivate, especially around other devs that don’t gaf about this software or me or themselves, it seems.

I stick around here for only two reasons: The idea itself is fantastic and this could be huge if someone would actually make it MOVE, and there’s basically nothing else around here I could do other than work for a small store being a cashier.  Yeah, I have looked but found nothing else, and I really like software dev and I do not want to work as a cashier.

And before you comment about how I should move to somewhere else where I could be useful.  Yes.  I should.  But I’m tied here due to family stuff (stuff that I wouldn’t go on about in a blog).  So that isn’t an option yet, at least not for a few years.

So I think what this team needs now is just authority.  Someone to come in and say to this team “why are you all on your asses?  Get to f—ing work.”  And I think what I’m going to go do right now is send this to my team and my managers and hope for the best.

Well, to my managers at least.  I know my team won’t care or read it.