I am having all sorts of problems getting a secure connection to my ldap server. I am using:
openldap 2-1.25 Net::LDAP: 0.26 IO:Socket:SSL 1.26 Perl v5.6.1
My code is (Actually, it is an example I found on the net.):
---------------------------------------------------------------------------- ---------- #!/usr/bin/perl -w use Net::LDAPS; $dn = "uid=mylogin,ou=myusers,ou=myunit,o=myorg"; $pw = "mypass";
my $ldap_server = "myserver.some.com"; my $cafile = "/usr/local/etc/openldap/cacert.pem";
my $ldcon = new Net::LDAPS($ldap_server, port=> "636", version => 3, verify=>'none', cafile=>"$cafile") || die "Can't connect $@";
my $mesg = $ldcon->bind(dn => $dn,password => $pw, version=>3);
$version = $ldcon->version; print "version is $version\n";
$mesg = $ldcon->cipher(); print "cipher is ",$mesg,"\n"; ---------------------------------------------------------------------------- ---------- I get: Can't connect IO::Socket::SSL: Timeout at ./sslconn.pl line 9.
I also tried a TLS version: ---------------------------------------------------------------------------- ---------- #!/usr/bin/perl -w
use Net::LDAP qw(:all);
my $ldaphost = "myserver.some.com"; my $port = 389; my $ldapconn = Net::LDAP->new($ldaphost,port=>$port, version=>3) or die "$@";
my $cafile = "/usr/local/etc/openldap/cacert.pem"; my $result = $ldapconn->start_tls(verify=>'require',cafile=>"$cafile"); if ($result->code) { # Something went wrong. # There was an LDAP error. print ("code: " . $result->code . "\n"); print ("done: " . $result->done . "\n"); print ("error: " . $result->error . "\n"); print ("is_error: " . $result->is_error . "\n"); } print (ref($ldapconn->socket) . "\n");
print("cipher chosen:",$ldapconn->cipher,"\n"); $servercert = $ldapconn->certificate; print("LDAP server cert issuer:\n",$servercert->issuer_name,"\n\n"); print("LDAP server cert subject:\n",$servercert->subject_name,"\n\n"); ---------------------------------------------------------------------------- ---------- and I get:
code: 1 done: 1 error: Operations error is_error: 1 IO::Socket::INET Use of uninitialized value in print at ./tlsconn3.pl line 23. cipher chosen: Can't call method "issuer_name" on an undefined value at ./tlsconn3.pl line 25.
I printed out the ldapconn->socket becuase I had seen an earlier reference to a bug in IO:Socket:SSL.
Using the java ldap-browser I can connect to the server on port 636 when I enable the SSL checkbox (Is this SSL or TLS?)... If anyone has any ideas I'd love to hear them....
Re: ldap-browser - it's SSL.
SSL talks on port 636. TLS talks on port 389. TLS "upgrades" an existing LDAP connection to encrypt the traffic - hence the start_tls following the constructor.
It looks like the server is listening on ports 389 and 636. Try verifying that your certificates are correct -
openssl s_client -connect <server:636> -CApath <path to CA dir>
Then verify that TLS works ok with standard clients - /path/to/openldap/bin/ldapsearch -ZZ -x ...
If that looks ok, the only thing I can suggest is adding sslversion=>'sslv3' to the start_tls call.
Dave -- Dave Lewney Principal Systems Programmer, IT Services University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956
