On 25/6/03 7:21 pm, Scantland, Martin [CAR:W669:EXCH]
<[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm fairly new to using SSL, so please don't be too harsh. I've looked in
> different places, but couldn't find anything useful about the error I'm
> getting... Here's a simple sample script:
>
> use Net::LDAP;
>
> $ldap = Net::LDAP->new('server', onerror => 'warn', debug=>'8');
>
> $ldap->start_tls(verify => 'require',
> capath => '/usr/local/ssl/CA/',
> clientcert => '/usr/local/ssl/certs/mine.pem',
> clientkey => '/usr/local/ssl/private/mine.pem',
> onerror => 'warn',
> version => '3'
> ) or die $ldap->error;
>
> $ldap->bind();
> ...
>
> I'm getting a "Protocol error at ./ldapAuthenticate.pl line 7" (which is the
> start_tls line), does that say anything obvious that I should be catching?
> The server I'm trying to connect to is running LDAP v3, and I've been able
> to bind, search, etc. without the start_tls().
>
> Martin
Not all servers support the start_tls() extension, even though they may
support LDAPS. Servers advertize their support for various extensions etc in
a special entry at the root of the directory. Recent versions of Net::LDAP
give you access to that:
use Net::LDAP::Constant qw(LDAP_EXTENSION_START_TLS);
$ldap = Net::LDAP->new('server', onerror => 'warn', debug=>'8');
$root_dse = $ldap->root_dse();
if ($root_dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
# try start_tls now
}
(Warning, typed in mail client - code may not run!)
You could also try with verify set to 'none' in case the problem's reading
the certs. (Don't run with verify set to none in production :-) If your key
is encrypted, you also need to pass a 'decryptkey' argument, pointing to a
sub returning the decrypt password:
decryptkey => sub { "mysecretpassword"; },
Cheers,
Chris
