On Monday 16 August 2004 08:57, Chris Ridd wrote:
> > I had working LDAP over SSL connection to an AD server from my GNU/Linux
> > box for about a year when suddenly it stopped working. Perl scripts to
> > manage users data (including passwords), PAM modules (nss_ldap), glibc's
> > getent - all stopped working at the same time. What to do? I disabled SSL
> > in all configs. Now pure LDAP works fine, but it doesn't allow me to
> > manage the passwords. So it seems that the problem is on the AD side.
> >
> > I can connect using telnet to both 389 and 636 ports of the machine where
> > the AD is installed. But when I try it with perl:
> >
> > [clip]
> >
> > #!/usr/bin/perl
> >
> > use Net::LDAPS;
> > use strict;
> >
> > my $ldaps = new Net::LDAPS('ldaps://AD_SERVER') || die "$@";
> >
> > print "ldaps = $ldaps\n";
> >
> > [/clip]
> >
> > I get: "IO::Socket::SSL: Timeout at test.pl line 6, <DATA> line 225." .
> > If "ldaps:" protocol is changed to "ldap" - I get the HASH.
> >
> > So the ADs admin checked the certificates and said they where not
> > expired. I still think it's somehow connected to certificates. I do not
> > remember now how did we set the SSL connection up then. But is there
> > another way to check certs?
>
> A simple way is to use the openssl command-line s_client tool, which just
> makes an SSL connection to a server. Point it at AD's LDAPS port and see
> what it reports. (Play with verbose etc flags.)
Thanks. The problem appeared to be the OpenSSL version I have on the GNU/Linux
box, 0.9.6, which cannot receive messages bigger than 512 Bytes. The
certificate bundle returned on an "openssl s_client" call is about 10 KB and
contains over 60 certs.
It worked with latest OpenSSL. The openssl tool works, but not perl-ldap
still. Is it possible to link my perl script with new OpenSSL installed
separately?
Actually, I'm not sure it worked 100%, as some errors say:
[clip]
---
SSL handshake has read 9919 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
6C13000098D6744FB0E2B23FD587CCC967E324177CB2DB19E55496EA269A9F32
Session-ID-ctx:
Master-Key:
AF0F224422F18FD204E1F8C9D1A066420BA5F7842F4100416C49B92B8075342DCE02C964A8F6D2B4FDBB356F5B6F5CA1
Key-Arg : None
Start Time: 1094499325
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
[/clip]
Can the verification problem cause perl-ldap over SSL error? Which is still
the same:
IO::Socket::SSL: Timeout
on establishing a connection using Net::LDAPS.
TIA,
--
[EMAIL PROTECTED]
