Q: LDAP - perl script using Net::LDAP and start_tls gives an error
Hi, I am trying to write perl script with Net::LDAP module, start_tls command and stumbled on a problem. I would appreciate if somebody could point me to the source of the problem. If there is better place to get an assistance in resolution of the problem please indicate in your reply. Thank you in advance, Andrew OS wheezy slapd 2.4.31-1+nmu2 gnutls-bin 3.0.22-3+really2.12.20-8+deb7u1 cacert /etc/ssl/certs/cacert.pem -rw-r--r-- 1 openldap openldap /etc/ssl/certs/04a8f1dd.0 - cacert.pem lrwxrwxrwx 1 root root server-key /etc/ssl/private/server-key.pem-rw--- 1 openldap openldap server-cert/etc/ssl/certs/server-cert.pem -rw-r--r-- 1 openldap openldap --- Begin of ldap_sec.pl -- #!/usr/bin/perl use Net::LDAP; #use Net::LDAP::Util qw(ldap_error_text);; use Data::Dumper; my $server = 'install.myclub.com'; #'localhost'; my $base = 'dc=myclub,dc=com'; my $scope = 'sub'; my $filter = 'objectClass=*'; my $ldap = Net::LDAP-new( $server ) or die $@; my $mesg = $ldap-bind( version = 3 ) || die Could not bind...; $mesg = $ldap-start_tls( verify = 'none', # none, optional, require clientcert = 'certs/client-cert.pem', clientkey = 'certs/client-key.pem', keydecrypt = sub { 'secret'; }, capath = '/etc/ssl/certs/' ); $mesg-{resultCode} die $mesg-{errorMessage}; #print Dumper($mesg); exit 0; $mesg = $ldap-search( base = $base, #scope = $sub, filter = $filter ); #print Dumper($mesg); if ($mesg-{resultCode}) { die An error occured binding to the LDAP server: . $mesg-{errorMessage} . \n; } foreach my $entry ( $mesg-entries ) { $entry-dump; } $mesg = $ldap-unbind; --- End of ldap_sec.pl - If the script run as it embedded above then it produces correct output root@install:~/prog# ./ldap_sec.pl dn:dc=myclub,dc=com objectClass: top dcObject organization o: myclub.com dc: myclub dn:cn=admin,dc=myclub,dc=com objectClass: simpleSecurityObject organizationalRole cn: admin description: LDAP administrator root@install:~/prog# If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# Otherwise LDAP server allows to bind and retrieve information from command line root@install:~/prog# ldapsearch -ZZ -H ldap:/// -W -D 'cn=admin,dc=myclub,dc=com' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=myclub,dc=com (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # myclub.com dn: dc=myclub,dc=com objectClass: top objectClass: dcObject objectClass: organization o: myclub.com dc: myclub # admin, myclub.com dn: cn=admin,dc=myclub,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: {encrypted_password}### password removed # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2 root@install:~/prog# -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534acd33.7000...@gmail.com
Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error
If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# It seems to me that the verify-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs). start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ). Atle. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534ae8d2.1060...@goliathdns.no
Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error
Hi Atle, in my case I am certificate agency (self-signed certificate) and I issue private key and certificate (cacert.pem) as for root CA as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem). The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value URL: https://metacpan.org/pod/Net::LDAP#start_tls |ln -s cacert.pem `openssl x509 -hash -noout cacert.pem`.0 Client (perl script) has reference to client's key/cert in the script which is stored in sub-directory 'certs' where located the script (certs/client-key.pem and certs/client-cert.pem). At the moment I am not fully grasp why verification of server certificate fails. I am welcome any ideas how to fix it. NOTE: It is my first attempt to program with Net::LDAP and start_tls -- I am in process of learning how it works and how to program to use LDAP over TLS in perl. Thanks for any input, Andrew | On 4/13/2014 12:43 PM, Atle Solbakken wrote: If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# It seems to me that the verify-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs). start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ). Atle.
Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error
On 04/13/2014 04:45 PM, Snow Leopard wrote: Hi Atle, in my case I am certificate agency (self-signed certificate) and I issue private key and certificate (cacert.pem) as for root CA as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem). The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value URL: https://metacpan.org/pod/Net::LDAP#start_tls |ln -s cacert.pem `openssl x509 -hash -noout cacert.pem`.0 Client (perl script) has reference to client's key/cert in the script which is stored in sub-directory 'certs' where located the script (certs/client-key.pem and certs/client-cert.pem). At the moment I am not fully grasp why verification of server certificate fails. I am welcome any ideas how to fix it. NOTE: It is my first attempt to program with Net::LDAP and start_tls -- I am in process of learning how it works and how to program to use LDAP over TLS in perl. Thanks for any input, Andrew | On 4/13/2014 12:43 PM, Atle Solbakken wrote: If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# It seems to me that the verify-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs). start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ). I think it would be better if there was an easier way. Especailly for older non-elastic brains. :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. https://linuxcounter.net/cert/44256.png X-oldie-warning: Toothless but still vicious -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534afa9b.1000...@gmail.com