Re: Setting security options when using ldap with sasl

Sun, 27 Apr 2008 07:52:43 -0700

I got i bit further with my problem. I firstly modified NET::LDAP.pm (line 392) by adding ssf to the connection property when using SASL. 

   $sasl_conn->property(
     sockname => $ldap->{net_ldap_socket}->sockname,
     peername => $ldap->{net_ldap_socket}->peername,
     ssf => 0,
   );

This fails with an decode error during bind

Decoding error at ./LDAP-AD-query.pl line 87.
But when using SASL::Perl and modifying NET::LDAP.pm by adding maxssf to the connection property I can connect with SSL and SASL/GSSAPI to Active Directory. 

   $sasl_conn->property(
     sockname => $ldap->{net_ldap_socket}->sockname,
     peername => $ldap->{net_ldap_socket}->peername,
     maxssf => 0,
   );
Now my question is what is the best method to get the maxssf setting from my perl script into the LDAP connection setup ? I would think the best would be to add an option to SASL->new e.g. connection_property = { maxssf => 0, ....} which can the be used in LDAP.pm e.g. 

   $sasl_conn->property(
     sockname => $ldap->{net_ldap_socket}->sockname,
     peername => $ldap->{net_ldap_socket}->peername,
   );
   loop over connection_property {
      $sasl_conn->property(
$sasl->connection_property ->name[$i] => $sasl->connection_property ->value[$i], 
      );
  }
As you can see I am not a perl programmer. Any suggestion how to best implement this ? 

Thank you
Markus
"Markus Moeller" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] 
Does nobody else experienced my problem ? Any hint how I could debug it ?

Thank you
Markus
"Markus Moeller" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] 
At the moment I use Authen:SASL as follows

use Net::LDAPS;
use Authen::SASL;
use Authen::Krb5;
....
$ldap = Net::LDAPS->new( $server,
                         port => 636,
                         timeout => 2,
                         verify => 'never',
                         version => 3) or die "$@";

$sasl = Authen::SASL->new('GSSAPI', 'user' => '');
$mesg = $ldap->bind( '',
                     sasl => $sasl) ;

$mesg->code && die $mesg->error;
...

and get the error:

00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos
signing/sealing when using TLS/SSL, data 0, vece at ./LDAP-AD-query.pl line 
82.
I read that there is a property setting possible with Authen::SASL but can't find an example how to outside of Net::LDAP.
Would it be possible to modify Net::LDAP to set SSF to 0 if LDAPS or start_tls is used ? 

Thank you
Markus

Reply via email to