[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Q: LDAP - perl script using Net::LDAP and start_tls gives an error


I am trying to write perl script with Net::LDAP module, start_tls command and stumbled on a problem.

I would appreciate if somebody could point me to "the source of the problem".

If there is better place to get an assistance in resolution of the problem please indicate in your reply.

Thank you in advance,


OS             wheezy
slapd          2.4.31-1+nmu2
gnutls-bin     3.0.22-3+really2.12.20-8+deb7u1
cacert         /etc/ssl/certs/cacert.pem -rw-r--r-- 1 openldap openldap
/etc/ssl/certs/04a8f1dd.0 -> cacert.pem lrwxrwxrwx 1 root root
server-key     /etc/ssl/private/server-key.pem-rw------- 1 openldap openldap
server-cert    /etc/ssl/certs/server-cert.pem -rw-r--r-- 1 openldap openldap

------- Begin of ldap_sec.pl ------------------------------

use Net::LDAP;
#use Net::LDAP::Util qw(ldap_error_text);;
use Data::Dumper;

my $server = 'install.myclub.com';      #'localhost';
my $base   = 'dc=myclub,dc=com';
my $scope  = 'sub';
my $filter = 'objectClass=*';

my $ldap = Net::LDAP->new( $server ) or die "$@";

my $mesg = $ldap->bind( version => 3 ) || die "Could not bind...";

$mesg = $ldap->start_tls(
                        verify     => 'none',   # none, optional, require
                        clientcert => 'certs/client-cert.pem',
                        clientkey  => 'certs/client-key.pem',
                        keydecrypt => sub { 'secret'; },
                        capath     => '/etc/ssl/certs/'

$mesg->{resultCode} && die $mesg->{errorMessage};
#print Dumper($mesg); exit 0;

$mesg = $ldap->search(
                        base   => $base,
                        #scope  => $sub,
                        filter => $filter

#print Dumper($mesg);

if ($mesg->{resultCode}) {
        die "An error occured binding to the LDAP server: "
          . $mesg->{errorMessage} . "\n";

foreach my $entry ( $mesg->entries ) {

$mesg = $ldap->unbind;
------- End of ldap_sec.pl ---------------------------------

If the script run as it embedded above then it produces correct output

root@install:~/prog# ./ldap_sec.pl

objectClass: top
          o: myclub.com
         dc: myclub

objectClass: simpleSecurityObject
         cn: admin
description: LDAP administrator

If I made a change in "start_tls" command for option "verify => none" to one of 'optional' or 'required' then I get next error message

root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ldap_sec.pl line 25, <DATA> line 751.

Otherwise LDAP server allows to bind and retrieve information from command line

root@install:~/prog# ldapsearch -ZZ -H ldap:/// -W -D 'cn=admin,dc=myclub,dc=com'
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <dc=myclub,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# myclub.com
dn: dc=myclub,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myclub.com
dc: myclub

# admin, myclub.com
dn: cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: {encrypted_password}    ### password removed

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

Reply to: