I'm trying to use Net::LDAP to do LDAPS authentication against my Server 2008 Active Directory and I'm having a hard time getting server verification to work.
So far, my (super simple) code works if I use verify => none in start_tls, but as soon as I set it to "require" or "optional", I get this error:
SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm at ./ldap.pl line 23, line 522.
When I test from the command line using Openssl s_client it works okay, so I don't think it's an OpenSSL problem. But I'm kind of a noob with Perl, so I'm not sure what else to debug next.
Here's the relevant code snippet:
#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new('ho.mydomain.com',
) or die "LDAP error";
$mesg = $ldap->start_tls(
sslversion => 'tlsv1',
verify => 'require',
capath => '/etc/ssl/certs/',
);
die $mesg->error if $mesg->is_error;
All the certs in the chain are signed with SHA512RSA. Also the CA Cert is 4096 bits and the server certs I am checking are all 2048 bits. I thought I might be missing a module or something, but I am pretty sure I have all the prerequisites installed, including Digest::SHA, Digest::HMAC and IO::Socket::SSL. I'm kind of stuck. Has anyone ever had this problem before? I'm working with Perl 5.10 on SLES 11 SP1. My OpenSSL version is 0.9.8h.
Thanks very much,
Paul
start_tls is an extended operation on port 389 and ldap uri, use port
636 and ldaps uri.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 777...@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Check the permsissions ownership of your certificates and the directory
containing them. Also check that there are no typos in your capath.
I'm using start_tls without a problem. Here's an example of my code in a
subroutine.
Since I don't know if the server(s) in @servers are
ldap://host.example.com or ldaps://host.example.com, I check the scheme
and then start_tls if the server is of the form ldap://host.example.com.
Prentice
sub ldap_connect
{
my $description = $_[0];
my $cacertfile = $_[1];
my $debug = $_[2];
my @servers = $_[3];
my $ldap;
my $mesg;
my $scheme;
my $code;
my $error;
if ($debug) {
print "Connecting to $description\n";
}
$ldap = Net::LDAP->new(@servers);
if ($ldap) {
if ($debug) {
print "Connected to $description\n";
}
$scheme = $ldap->scheme;
# If scheme != 'ldaps', Start TLS. Fail if we can't.
if ($scheme ne 'ldaps') {
$mesg = $ldap->start_tls(verify=>'require',
cafile => $cacertfile);
$code = $mesg->code;
if ($code == 0) {
if ($debug) {
print "Started TLS on $description\n";
}
} else {
$error = $mesg->error;
print "$error\n";
print "Error: Could not start TLS for $description\n";
$ldap->unbind;
return(undef);
}
} else {
if ($debug) {
print "TLS already started for $description\n";
}
}
return($ldap);
} else {
print "Error: Could not connect to $description\n";
return(undef);
}
}
--
Prentice Bisbal
Linux Software Support Specialist/System Administrator
School of Natural Sciences
Institute for Advanced Study
Princeton, NJ
> Hi, thanks for the info. I still have the same error with LDAPS
> instead of TLS. The behaviour is the same too, it works if I don't
> require verification, but fails if I do.
man s_client(1)
openssl s_client connect ldaphost:636 -CAfile <path to CA> -showcerts
-Dieter