Hi,
I am trying to write perl script with Net::LDAP module, start_tls
command and stumbled on a problem.
I would appreciate if somebody could point me to "the source of the
problem".
If there is better place to get an assistance in resolution of the
problem please indicate in your reply.
Thank you in advance,
Andrew
OS wheezy
slapd 2.4.31-1+nmu2
gnutls-bin 3.0.22-3+really2.12.20-8+deb7u1
cacert /etc/ssl/certs/cacert.pem -rw-r--r-- 1 openldap openldap
/etc/ssl/certs/04a8f1dd.0 -> cacert.pem lrwxrwxrwx 1
root root
server-key /etc/ssl/private/server-key.pem-rw------- 1 openldap openldap
server-cert /etc/ssl/certs/server-cert.pem -rw-r--r-- 1 openldap openldap
------- Begin of ldap_sec.pl ------------------------------
#!/usr/bin/perl
use Net::LDAP;
#use Net::LDAP::Util qw(ldap_error_text);;
use Data::Dumper;
my $server = 'install.myclub.com'; #'localhost';
my $base = 'dc=myclub,dc=com';
my $scope = 'sub';
my $filter = 'objectClass=*';
my $ldap = Net::LDAP->new( $server ) or die "$@";
my $mesg = $ldap->bind( version => 3 ) || die "Could not bind...";
$mesg = $ldap->start_tls(
verify => 'none', # none, optional, require
clientcert => 'certs/client-cert.pem',
clientkey => 'certs/client-key.pem',
keydecrypt => sub { 'secret'; },
capath => '/etc/ssl/certs/'
);
$mesg->{resultCode} && die $mesg->{errorMessage};
#print Dumper($mesg); exit 0;
$mesg = $ldap->search(
base => $base,
#scope => $sub,
filter => $filter
);
#print Dumper($mesg);
if ($mesg->{resultCode}) {
die "An error occured binding to the LDAP server: "
. $mesg->{errorMessage} . "\n";
}
foreach my $entry ( $mesg->entries ) {
$entry->dump;
}
$mesg = $ldap->unbind;
------- End of ldap_sec.pl ---------------------------------
If the script run as it embedded above then it produces correct output
root@install:~/prog# ./ldap_sec.pl
------------------------------------------------------------------------
dn:dc=myclub,dc=com
objectClass: top
dcObject
organization
o: myclub.com
dc: myclub
------------------------------------------------------------------------
dn:cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
organizationalRole
cn: admin
description: LDAP administrator
root@install:~/prog#
If I made a change in "start_tls" command for option "verify => none" to
one of 'optional' or 'required' then I get next error message
root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
./ldap_sec.pl line 25, <DATA> line 751.
root@install:~/prog#
Otherwise LDAP server allows to bind and retrieve information from
command line
root@install:~/prog# ldapsearch -ZZ -H ldap:/// -W -D
'cn=admin,dc=myclub,dc=com'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=myclub,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myclub.com
dn: dc=myclub,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myclub.com
dc: myclub
# admin, myclub.com
dn: cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: {encrypted_password} ### password removed
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
root@install:~/prog#
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534acd33.7000...@gmail.com