ssl/tls troubles

[Natxo Asenjo]

hi,

in my host (fedora 20)I have imported the root CA certificate of our corporate AD domain. Using ldapsearch it works, and visiting secure sites signed by that CA are verified.

But I do not exactly know hot to tell my script how to do the same.

This is it:

use Net::LDAP;
use Data::Dumper;

my $ldap = Net::LDAP->new( 'd01.domain.tldl' ) or die "$@";

my $mesg = $ldap->start_tls(
    verify => 'require',
    capath => '/etc/ssl/certs/',
    sslversion => 'tlsv1',
);

print Dumper $mesg;

$mesg =$ldap->bind (

    "user",

     password    => 'pwd',
     version     => 3,
);

my $search = $mesg->search(
                        base    => "dc=domain,dc=tld",
                        scope   => "sub",
                        filter  => "(samaccountname=*)",
                        attr    => ['samaccountname'],
                    );

$mesg->code ;

for my $entry ( $mesg->entries) {
    print $entry->get_value( 'samaccountname'), "\n";;
}

$ldap->unbind;

$ perl department.pl
$VAR1 = bless( {
                 'responseName' => '1.3.6.1.4.1.1466.20037',
                 'matchedDN' => '',
                 'raw' => undef,
                 'mesgid' => 1,
                 'ctrl_hash' => undef,
                 'callback' => undef,
                 'controls' => undef,
                 'resultCode' => 1,
                 'parent' => bless( {
                                      'net_ldap_rawsocket' => bless( \*Symbol::GEN0, 'IO::Socket::INET' ),
                                      'net_ldap_debug' => 0,
                                      'net_ldap_mesg' => {},
                                      'net_ldap_host' => 'dc01.domain.tld',
                                      'net_ldap_port' => 389,
                                      'net_ldap_async' => 0,
                                      'net_ldap_uri' => 'dc01.domain.tld',
                                      'net_ldap_socket' => $VAR1->{'parent'}{'net_ldap_rawsocket'},
                                      'net_ldap_resp' => {},
                                      'net_ldap_scheme' => 'ldap',
                                      'net_ldap_version' => 3,
                                      'net_ldap_refcnt' => 1
                                    }, 'Net::LDAP' ),
                 'errorMessage' => 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
               }, 'Net::LDAP::Extension' );
Can't locate object method "search" via package "Net::LDAP::Bind" at department.pl line 43, <DATA> line 751.

So it clearly does not trust the certificate. The certificate is in /etc/ssl/certs/ca-bundle.trust.crt.

Any tips greatyl appreciated.

--
Groeten,
natxo

[Natxo Asenjo]

ok, solved. I removed the capath and it works. It finds the certificate automatically.

Apologies for the noise.

--
Groeten,
natxo

[Natxo Asenjo]

Hi Daniel,

On Thu, Sep 11, 2014 at 8:57 PM, Daniel Stutz <dst...@use-strict.net> wrote:

Did you try the ‚cafile‘ option of start_tls?

http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod#start_tls

Yes, I tried that as well, but it did not work either. But apparently the module is smart enough to look into the default paths for openssl and if the cert is in there, you need nothing else but verify => 'require' when using the start_tls method. I tried removing the cert from there and the script croaked inmediately. And wireshark showed that everything was nicely encrypted.

Thanks!

--

groet,
natxo

[Daniel Stutz]

Did you try the ‚cafile‘ option of start_tls?

http://search.cpan.org/~marschap/perl-ldap/lib/Net/LDAP.pod#start_tls

Regards,

Daniel