Q: LDAP - perl script using Net::LDAP and start_tls gives an error
Hi,
I am trying to write perl script with Net::LDAP module, start_tls
command and stumbled on a problem.
I would appreciate if somebody could point me to the source of the
problem.
If there is better place to get an assistance in resolution of the
problem please indicate in your reply.
Thank you in advance,
Andrew
OS wheezy
slapd 2.4.31-1+nmu2
gnutls-bin 3.0.22-3+really2.12.20-8+deb7u1
cacert /etc/ssl/certs/cacert.pem -rw-r--r-- 1 openldap openldap
/etc/ssl/certs/04a8f1dd.0 - cacert.pem lrwxrwxrwx 1
root root
server-key /etc/ssl/private/server-key.pem-rw--- 1 openldap openldap
server-cert/etc/ssl/certs/server-cert.pem -rw-r--r-- 1 openldap openldap
--- Begin of ldap_sec.pl --
#!/usr/bin/perl
use Net::LDAP;
#use Net::LDAP::Util qw(ldap_error_text);;
use Data::Dumper;
my $server = 'install.myclub.com'; #'localhost';
my $base = 'dc=myclub,dc=com';
my $scope = 'sub';
my $filter = 'objectClass=*';
my $ldap = Net::LDAP-new( $server ) or die $@;
my $mesg = $ldap-bind( version = 3 ) || die Could not bind...;
$mesg = $ldap-start_tls(
verify = 'none', # none, optional, require
clientcert = 'certs/client-cert.pem',
clientkey = 'certs/client-key.pem',
keydecrypt = sub { 'secret'; },
capath = '/etc/ssl/certs/'
);
$mesg-{resultCode} die $mesg-{errorMessage};
#print Dumper($mesg); exit 0;
$mesg = $ldap-search(
base = $base,
#scope = $sub,
filter = $filter
);
#print Dumper($mesg);
if ($mesg-{resultCode}) {
die An error occured binding to the LDAP server:
. $mesg-{errorMessage} . \n;
}
foreach my $entry ( $mesg-entries ) {
$entry-dump;
}
$mesg = $ldap-unbind;
--- End of ldap_sec.pl -
If the script run as it embedded above then it produces correct output
root@install:~/prog# ./ldap_sec.pl
dn:dc=myclub,dc=com
objectClass: top
dcObject
organization
o: myclub.com
dc: myclub
dn:cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
organizationalRole
cn: admin
description: LDAP administrator
root@install:~/prog#
If I made a change in start_tls command for option verify = none to
one of 'optional' or 'required' then I get next error message
root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
./ldap_sec.pl line 25, DATA line 751.
root@install:~/prog#
Otherwise LDAP server allows to bind and retrieve information from
command line
root@install:~/prog# ldapsearch -ZZ -H ldap:/// -W -D
'cn=admin,dc=myclub,dc=com'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base dc=myclub,dc=com (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myclub.com
dn: dc=myclub,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myclub.com
dc: myclub
# admin, myclub.com
dn: cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: {encrypted_password}### password removed
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
root@install:~/prog#
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534acd33.7000...@gmail.com
Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error
If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# It seems to me that the verify-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs). start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ). Atle. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534ae8d2.1060...@goliathdns.no
Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error
Hi Atle, in my case I am certificate agency (self-signed certificate) and I issue private key and certificate (cacert.pem) as for root CA as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem). The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value URL: https://metacpan.org/pod/Net::LDAP#start_tls |ln -s cacert.pem `openssl x509 -hash -noout cacert.pem`.0 Client (perl script) has reference to client's key/cert in the script which is stored in sub-directory 'certs' where located the script (certs/client-key.pem and certs/client-cert.pem). At the moment I am not fully grasp why verification of server certificate fails. I am welcome any ideas how to fix it. NOTE: It is my first attempt to program with Net::LDAP and start_tls -- I am in process of learning how it works and how to program to use LDAP over TLS in perl. Thanks for any input, Andrew | On 4/13/2014 12:43 PM, Atle Solbakken wrote: If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# It seems to me that the verify-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs). start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ). Atle.
Re: Q: LDAP - perl script using Net::LDAP and start_tls gives an error
On 04/13/2014 04:45 PM, Snow Leopard wrote: Hi Atle, in my case I am certificate agency (self-signed certificate) and I issue private key and certificate (cacert.pem) as for root CA as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem). The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value URL: https://metacpan.org/pod/Net::LDAP#start_tls |ln -s cacert.pem `openssl x509 -hash -noout cacert.pem`.0 Client (perl script) has reference to client's key/cert in the script which is stored in sub-directory 'certs' where located the script (certs/client-key.pem and certs/client-cert.pem). At the moment I am not fully grasp why verification of server certificate fails. I am welcome any ideas how to fix it. NOTE: It is my first attempt to program with Net::LDAP and start_tls -- I am in process of learning how it works and how to program to use LDAP over TLS in perl. Thanks for any input, Andrew | On 4/13/2014 12:43 PM, Atle Solbakken wrote: If I made a change in start_tls command for option verify = none to one of 'optional' or 'required' then I get next error message root@install:~/prog# ./ldap_sec.pl SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, DATA line 751. root@install:~/prog# It seems to me that the verify-option tells Net::LDAP whether it should verify that the certificate the server you are connecting to is using has been signed by a known certificate authority (listed in /etc/ssl/certs). start_tls will fail if the server does not provide any certificate, or if the certificate is not signed by a CA (ref http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ). I think it would be better if there was an easier way. Especailly for older non-elastic brains. :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. https://linuxcounter.net/cert/44256.png X-oldie-warning: Toothless but still vicious -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534afa9b.1000...@gmail.com
