Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Q: LDAP - perl script using Net::LDAP and start_tls gives an error
148 views
Skip to first unread message
Snow Leopard
Apr 13, 2014, 1:50:02 PM4/13/14
to
Hi,
I am trying to write perl script with Net::LDAP module, start_tls
command and stumbled on a problem.
I would appreciate if somebody could point me to "the source of the
problem".
If there is better place to get an assistance in resolution of the
problem please indicate in your reply.
Thank you in advance,
Andrew
OS wheezy
slapd 2.4.31-1+nmu2
gnutls-bin 3.0.22-3+really2.12.20-8+deb7u1
cacert /etc/ssl/certs/cacert.pem -rw-r--r-- 1 openldap openldap
/etc/ssl/certs/04a8f1dd.0 -> cacert.pem lrwxrwxrwx 1
root root
server-key /etc/ssl/private/server-key.pem-rw------- 1 openldap openldap
server-cert /etc/ssl/certs/server-cert.pem -rw-r--r-- 1 openldap openldap
------- Begin of ldap_sec.pl ------------------------------
#!/usr/bin/perl
use Net::LDAP;
#use Net::LDAP::Util qw(ldap_error_text);;
use Data::Dumper;
my $server = 'install.myclub.com'; #'localhost';
my $base = 'dc=myclub,dc=com';
my $scope = 'sub';
my $filter = 'objectClass=*';
my $ldap = Net::LDAP->new( $server ) or die "$@";
my $mesg = $ldap->bind( version => 3 ) || die "Could not bind...";
$mesg = $ldap->start_tls(
verify => 'none', # none, optional, require
clientcert => 'certs/client-cert.pem',
clientkey => 'certs/client-key.pem',
keydecrypt => sub { 'secret'; },
capath => '/etc/ssl/certs/'
);
$mesg->{resultCode} && die $mesg->{errorMessage};
#print Dumper($mesg); exit 0;
$mesg = $ldap->search(
base => $base,
#scope => $sub,
filter => $filter
);
#print Dumper($mesg);
if ($mesg->{resultCode}) {
die "An error occured binding to the LDAP server: "
. $mesg->{errorMessage} . "\n";
}
foreach my $entry ( $mesg->entries ) {
$entry->dump;
}
$mesg = $ldap->unbind;
------- End of ldap_sec.pl ---------------------------------
If the script run as it embedded above then it produces correct output
root@install:~/prog# ./ldap_sec.pl
------------------------------------------------------------------------
dn:dc=myclub,dc=com
objectClass: top
dcObject
organization
o: myclub.com
dc: myclub
------------------------------------------------------------------------
dn:cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
organizationalRole
cn: admin
description: LDAP administrator
root@install:~/prog#
If I made a change in "start_tls" command for option "verify => none" to
one of 'optional' or 'required' then I get next error message
root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
./ldap_sec.pl line 25, <DATA> line 751.
root@install:~/prog#
Otherwise LDAP server allows to bind and retrieve information from
command line
root@install:~/prog# ldapsearch -ZZ -H ldap:/// -W -D
'cn=admin,dc=myclub,dc=com'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=myclub,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myclub.com
dn: dc=myclub,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myclub.com
dc: myclub
# admin, myclub.com
dn: cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: {encrypted_password} ### password removed
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
root@install:~/prog#
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/534ACD33...@gmail.com
I am trying to write perl script with Net::LDAP module, start_tls
command and stumbled on a problem.
I would appreciate if somebody could point me to "the source of the
problem".
If there is better place to get an assistance in resolution of the
problem please indicate in your reply.
Thank you in advance,
Andrew
OS wheezy
slapd 2.4.31-1+nmu2
gnutls-bin 3.0.22-3+really2.12.20-8+deb7u1
cacert /etc/ssl/certs/cacert.pem -rw-r--r-- 1 openldap openldap
/etc/ssl/certs/04a8f1dd.0 -> cacert.pem lrwxrwxrwx 1
root root
server-key /etc/ssl/private/server-key.pem-rw------- 1 openldap openldap
server-cert /etc/ssl/certs/server-cert.pem -rw-r--r-- 1 openldap openldap
------- Begin of ldap_sec.pl ------------------------------
#!/usr/bin/perl
use Net::LDAP;
#use Net::LDAP::Util qw(ldap_error_text);;
use Data::Dumper;
my $server = 'install.myclub.com'; #'localhost';
my $base = 'dc=myclub,dc=com';
my $scope = 'sub';
my $filter = 'objectClass=*';
my $ldap = Net::LDAP->new( $server ) or die "$@";
my $mesg = $ldap->bind( version => 3 ) || die "Could not bind...";
$mesg = $ldap->start_tls(
verify => 'none', # none, optional, require
clientcert => 'certs/client-cert.pem',
clientkey => 'certs/client-key.pem',
keydecrypt => sub { 'secret'; },
capath => '/etc/ssl/certs/'
);
$mesg->{resultCode} && die $mesg->{errorMessage};
#print Dumper($mesg); exit 0;
$mesg = $ldap->search(
base => $base,
#scope => $sub,
filter => $filter
);
#print Dumper($mesg);
if ($mesg->{resultCode}) {
die "An error occured binding to the LDAP server: "
. $mesg->{errorMessage} . "\n";
}
foreach my $entry ( $mesg->entries ) {
$entry->dump;
}
$mesg = $ldap->unbind;
------- End of ldap_sec.pl ---------------------------------
If the script run as it embedded above then it produces correct output
root@install:~/prog# ./ldap_sec.pl
------------------------------------------------------------------------
dn:dc=myclub,dc=com
objectClass: top
dcObject
organization
o: myclub.com
dc: myclub
------------------------------------------------------------------------
dn:cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
organizationalRole
cn: admin
description: LDAP administrator
root@install:~/prog#
If I made a change in "start_tls" command for option "verify => none" to
one of 'optional' or 'required' then I get next error message
root@install:~/prog# ./ldap_sec.pl
SSL connect attempt failed with unknown error error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
./ldap_sec.pl line 25, <DATA> line 751.
root@install:~/prog#
Otherwise LDAP server allows to bind and retrieve information from
command line
root@install:~/prog# ldapsearch -ZZ -H ldap:/// -W -D
'cn=admin,dc=myclub,dc=com'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=myclub,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myclub.com
dn: dc=myclub,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myclub.com
dc: myclub
# admin, myclub.com
dn: cn=admin,dc=myclub,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: {encrypted_password} ### password removed
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
root@install:~/prog#
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/534ACD33...@gmail.com
Atle Solbakken
Apr 13, 2014, 4:20:02 PM4/13/14
to
> If I made a change in "start_tls" command for option "verify => none"
> to one of 'optional' or 'required' then I get next error message
>
>
> root@install:~/prog# ./ldap_sec.pl
> SSL connect attempt failed with unknown error error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
> ./ldap_sec.pl line 25, <DATA> line 751.
> root@install:~/prog#
>
>
should verify that the certificate the server you are connecting to is
using has been signed by a known certificate authority (listed in
/etc/ssl/certs).
start_tls will fail if the server does not provide any certificate, or
if the certificate is not signed by a CA (ref
http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod ).
Atle.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Snow Leopard
Apr 13, 2014, 4:50:02 PM4/13/14
to
Hi Atle,
in my case I am certificate agency (self-signed certificate) and I issue "private key" and "certificate" (cacert.pem) as for root "CA" as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem).
The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value
URL: https://metacpan.org/pod/Net::LDAP#start_tls
in my case I am certificate agency (self-signed certificate) and I issue "private key" and "certificate" (cacert.pem) as for root "CA" as for LDAP server (server-key.pem and server-cert.pem) and LDAP perl script client (client-key.pem and client-cert.pem).
The script and client run on the same computer (for the moment) and LDAP server private key (private/server-key.pem) and certificate (certs/server-cert.pem) located in /etc/ssl/ directory. CA root certificate (certs/cacert.pem) is located in /etc/ssl/certs directory -- and as recommended I created certificate named using hash value
URL: https://metacpan.org/pod/Net::LDAP#start_tls
ln -s cacert.pem `openssl x509 -hash -noout
< cacert.pem`.0
Client (perl script) has reference to client's key/cert in the
script which is stored in sub-directory 'certs' where located the
script (certs/client-key.pem and certs/client-cert.pem).
At the moment I am not fully grasp why verification of server
certificate fails.
I am welcome any ideas how to fix it.
NOTE: It is my first attempt to program with Net::LDAP and
start_tls -- I am in process of learning how it works and how to
program to use LDAP over TLS in perl.
Thanks for any input,
Andrew
Ric Moore
Apr 13, 2014, 5:00:01 PM4/13/14
to
older non-elastic brains. :) Ric
--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
https://linuxcounter.net/cert/44256.png
X-oldie-warning: Toothless but still vicious
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
0 new messages