It's my understanding that using LDAPS->new or $ldap->start_tls with the
option
verify => 'require'
Should verify that the host name should be checked and fail if it's not
an exact match. From my experience with websites, TLS/SSL requires that
if the cert contains the FQDN for the server, the verification will fail
if the name in the web-browsers address doesn't also have the FQDN.
I wrote a program using the code below. The cert for the LDAP server has
the FQDN (ldap1.domain.tld), however when I call the program with
hostname specified as "ldap1", I do not get any kind of verification
error. ldap1 doesn't not allow any unencrypted traffic at all, so I know
I must be connecting over SSL/TLS or I would have gotten a
"confidentiality required" error from the server.
Am I doing something wrong, or have an incorrect understanding of how
SSL/TLS works in this case?
# Step 1:
# Try to connect. If we fail here, exit with return code 2
if (($port == 636)||($ssl)) {
if ($verbose) {
print "Connecting with scheme = ldaps\n";
}
if (!$port) {
$port = '389';
}
$ldap = Net::LDAP->new($hostname,
port => $port,
scheme => 'ldaps',
timeout => $timeout,
verify => 'require',
cafile => $cafile
) || exit (2);
} else {
if ($verbose) {
print "Connecting with scheme = ldap\n";
}
$ldap = Net::LDAP->new($hostname,
port => $port,
scheme => 'ldap',
timeout => $timeout
) || exit (2);
}
--
Prentice
