On 6/9/04 9:24 pm, Vladimir Levijev <[EMAIL PROTECTED]> wrote:
> On Monday 16 August 2004 08:57, Chris Ridd wrote:
>
>>> I had working LDAP over SSL connection to an AD server from my GNU/Linux
>>> box for about a year when suddenly it stopped working. Perl scripts to
>>> manage users data (including passwords), PAM modules (nss_ldap), glibc's
>>> getent - all stopped working at the same time. What to do? I disabled SSL
>>> in all configs. Now pure LDAP works fine, but it doesn't allow me to
>>> manage the passwords. So it seems that the problem is on the AD side.
>>>
>>> I can connect using telnet to both 389 and 636 ports of the machine where
>>> the AD is installed. But when I try it with perl:
>>>
>>> [clip]
>>>
>>> #!/usr/bin/perl
>>>
>>> use Net::LDAPS;
>>> use strict;
>>>
>>> my $ldaps = new Net::LDAPS('ldaps://AD_SERVER') || die "$@";
>>>
>>> print "ldaps = $ldaps\n";
>>>
>>> [/clip]
>>>
>>> I get: "IO::Socket::SSL: Timeout at test.pl line 6, <DATA> line 225." .
>>> If "ldaps:" protocol is changed to "ldap" - I get the HASH.
>>>
>>> So the ADs admin checked the certificates and said they where not
>>> expired. I still think it's somehow connected to certificates. I do not
>>> remember now how did we set the SSL connection up then. But is there
>>> another way to check certs?
>>
>> A simple way is to use the openssl command-line s_client tool, which just
>> makes an SSL connection to a server. Point it at AD's LDAPS port and see
>> what it reports. (Play with verbose etc flags.)
>
> Thanks. The problem appeared to be the OpenSSL version I have on the GNU/Linux
> box, 0.9.6, which cannot receive messages bigger than 512 Bytes. The
> certificate bundle returned on an "openssl s_client" call is about 10 KB and
> contains over 60 certs.
>
> It worked with latest OpenSSL. The openssl tool works, but not perl-ldap
> still. Is it possible to link my perl script with new OpenSSL installed
> separately?
>
> Actually, I'm not sure it worked 100%, as some errors say:
>
> [clip]
>
> ---
> SSL handshake has read 9919 bytes and written 342 bytes
> ---
> New, TLSv1/SSLv3, Cipher is RC4-MD5
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : RC4-MD5
> Session-ID:
> 6C13000098D6744FB0E2B23FD587CCC967E324177CB2DB19E55496EA269A9F32
> Session-ID-ctx:
> Master-Key:
> AF0F224422F18FD204E1F8C9D1A066420BA5F7842F4100416C49B92B8075342DCE02C964A8F6D2
> B4FDBB356F5B6F5CA1
> Key-Arg : None
> Start Time: 1094499325
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
>
> [/clip]
>
> Can the verification problem cause perl-ldap over SSL error? Which is still
> the same:
>
> IO::Socket::SSL: Timeout
>
> on establishing a connection using Net::LDAPS.
I don't think verification failure will cause a timeout error. You could set
verify => none in the Net::LDAPS constructor to prevent the SSL library from
trying to verify things.
I guess you will need to make sure your perl is using the same version of
the ssl libraries. If you install a newer version of IO::Socket::SSL
(Net::SSLeay? I forget!) it might link against your working ssl libs..
Cheers,
Chris
