Hi,
On Thursday 12 August 2004 09:32, Ulrich Windl wrote:
> I'm experimenting with "start_tls()" in Net::LDAP. The manual suggests
> to check
> the RootDSE for LDAPv3 and TLS extension. Somhow I managed that
> creating the LDAP
> object (i.e. connect) suceeds, but $ldap->root_dse() returns undef.
> Interesting to
> say that you cannot get much information out of an undef:
>
> May code fragment is this:
>
> sub start_TLS($$)
> {
> my ($ldap, $q) = @_;
> my $dse = $ldap->root_dse();
>
> if ($dse && $dse->supported_version(3) &&
> $dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
> my $msg = $ldap->start_tls('verify' => 'none');
>
> The "$dse &&" is a workaround against an undefined $dse.
The root_dse() method in Net::LDAP return either a Net::LDAP::RootDSE object
or undef to indicate something went wrong.
Thus the "$dse &&" is no workaround but the way to detect if an error
occured.
> I don't know exactly what the problem is, but I suspect that the server
> wants to
> have a secured connection before returning the RootDSE. In my case I
> have
> OpenLDAP2 configured with
>
> security ssf=1 update_ssf=112 simple_bind=64
>
> # indended use: ensure integrity of reads while ensuring
> confidentiality on
> updates and binds
>
> I can get the root DSE if I use the configuration line
>
> security ssf=0 update_ssf=112 simple_bind=64
>
> instead, but I'd wish for root_dse() to report an error on failure,
> because the
> LDAP server actually reported an error:
>
> slapd[1163]: conn=11 op=0 SRCH base="" scope=0 deref=2
> filter="(objectClass=*)"
> slapd[1163]: conn=11 op=0 SRCH attr=subschemaSubentry namingContexts
> altServer
> supportedExtension supportedControl supportedSASLMechanisms
> supportedLDAPVersion
> slapd[1163]: conn=11 op=0 SEARCH RESULT tag=101 err=13 nentries=0
> text=confidentiality required
Since root_dse is little more than a search with scope base on the DIT's root
it all depends on your server's configuration whether root_dse() fails or not.
I'd suggest to allow access to the DIT's root to anybody since this entry
contains information necessary for binding.
And you use it in a similar way: you try to determine if the server supports
LDAPv3 and the start_tls extension.
You may try to simulate root_dse by doing th search in root_des() manually.
Then you get back a message object.
Peter
PS: I my be mislead, but I fear you need to be connected with LDAPv3 in order
to use start_tls on a connectoion. I am not sure if it is sufficient if the
server supports LDAPv3 with start_tls when you're bound with LDAPv2.
--
Peter Marschall
eMail: [EMAIL PROTECTED]
