Re: ssl/tls troubles

Thu, 11 Sep 2014 11:58:56 -0700 

Did you try the ‚cafile‘ option of start_tls?
http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod#start_tls

Regards,
Daniel

Am 11.09.2014 um 17:58 schrieb Natxo Asenjo <natxo.ase...@gmail.com>:

> hi,
> 
> in my host (fedora 20)I have imported the root CA certificate of our 
> corporate AD domain. Using ldapsearch it works, and visiting secure sites 
> signed by that CA are verified.
> 
> But I do not exactly know hot to tell my script how to do the same.
> 
> This is it:
> 
> use Net::LDAP;
> use Data::Dumper;
> 
> my $ldap = Net::LDAP->new( 'd01.domain.tldl' ) or die "$@";
> 
> my $mesg = $ldap->start_tls(
>     verify => 'require',
>     capath => '/etc/ssl/certs/',
>     sslversion => 'tlsv1',
> );
> 
> print Dumper $mesg;
> 
> $mesg =$ldap->bind (
>     "user",
>      password    => 'pwd',
>      version     => 3,
> ); 
> 
> my $search = $mesg->search(
>                         base    => "dc=domain,dc=tld",
>                         scope   => "sub",
>                         filter  => "(samaccountname=*)",
>                         attr    => ['samaccountname'],
>                     );
> 
> $mesg->code ;
> 
> for my $entry ( $mesg->entries) {
>     print $entry->get_value( 'samaccountname'), "\n";;
> }
> 
> $ldap->unbind;
> 
> $ perl department.pl 
> $VAR1 = bless( {
>                  'responseName' => '1.3.6.1.4.1.1466.20037',
>                  'matchedDN' => '',
>                  'raw' => undef,
>                  'mesgid' => 1,
>                  'ctrl_hash' => undef,
>                  'callback' => undef,
>                  'controls' => undef,
>                  'resultCode' => 1,
>                  'parent' => bless( {
>                                       'net_ldap_rawsocket' => bless( 
> \*Symbol::GEN0, 'IO::Socket::INET' ),
>                                       'net_ldap_debug' => 0,
>                                       'net_ldap_mesg' => {},
>                                       'net_ldap_host' => 'dc01.domain.tld',
>                                       'net_ldap_port' => 389,
>                                       'net_ldap_async' => 0,
>                                       'net_ldap_uri' => 'dc01.domain.tld',
>                                       'net_ldap_socket' => 
> $VAR1->{'parent'}{'net_ldap_rawsocket'},
>                                       'net_ldap_resp' => {},
>                                       'net_ldap_scheme' => 'ldap',
>                                       'net_ldap_version' => 3,
>                                       'net_ldap_refcnt' => 1
>                                     }, 'Net::LDAP' ),
>                  'errorMessage' => 'SSL connect attempt failed 
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
> failed'
>                }, 'Net::LDAP::Extension' );
> Can't locate object method "search" via package "Net::LDAP::Bind" at 
> department.pl line 43, <DATA> line 751.
> 
> 
> So it clearly does not trust the certificate. The certificate is in 
> /etc/ssl/certs/ca-bundle.trust.crt.
> 
> Any tips greatyl appreciated.
> 
> 
> --
> Groeten,
> natxo

Reply via email to