Re: start_tls and Net::LDAPS

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks Chris.  Actually I did try doing start_tls before bind after my
first post.  But it was not getting any better.

=====
#!/usr/local/bin/perl

use Net::LDAP;

$dn = "uid=c24b18d4bb4afdf052330678af9a601d, ou=People, dc=tamu, dc=edu";
$pw = 'mypass';

my $ldap_server = 'operator.tamu.edu';

my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect";

$mesg = $ldcon->start_tls();
print "start_tls return code ",$mesg->code,"-",$mesg->error,"\n";

$mesg = $ldcon->bind(dn => $dn,password => $pw);

if ($mesg->code)
{
 print $mesg->code,"-",$mesg->error,"\n";
} else {
         print "bind return code ",$mesg->code,"-",$mesg->error,"\n";
       }
=====

The result was:
======
start_tls return code 1-Operations error
84-decode error 16<=>30 at 
/usr/local/perl/5.6.1/lib/site_perl/5.6.1/Convert/ASN
1/_decode.pm line 108.
======

If I removed start_tls, bind was ok.

Bing

Bing Du <bi...@ta..., 979-845-9577>
Texas A&M University, CIS, Operating Systems, Unix

On Tue, 8 Oct 2002, Chris Ridd wrote:

> On 8/10/02 3:40 pm, Bing Du <du...@mo...> wrote:
> 
> > Now that Net::LDAPS works, does that mean our directory server supports
> > SSL but not necessarily supports TLS?
> > 
> > From my understanding after reading the description of Net::LDAPS:
> > 
> > "...
> > Note that the use of LDAPS is not recommended, because it is
> > not described by any IETF documents. Instead, you should
> > consider using LDAPv3 with the TLS extension defined in RFC
> > 2830. This will give you the same functionality as LDAPS,
> > but using recognized standards. See the start_tls entry in
> > the Net::LDAP manpage. ..."
> > 
> > Start_tls should at least do what Net::LDAPS can do.  Please correct me if
> > I'm wrong.  Thanks.
> 
> At the protocol level, they're rather different.
> 
> StartTLS is an LDAPv3 extended operation that servers must explicitly
> support. Because you can issue StartTLS at an arbitrary point in your
> connection to the server, it isn't the same as making an SSL connection to a
> given port.
> 
> Now one thing I noticed from your original snippet is:
> 
> my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect";
> 
> my $mesg = $ldcon->bind(dn => $dn,password => $pw);
> 
> $mesg = $ldcon->start_tls();
> print "start_tls: ",$mesg->error,"\n";
> 
> It is unusual to do the bind in the clear, and then turn on TLS afterwards.
> That might be what you wanted, but normally you'd turn on TLS before issuing
> any bind. That would be more similar to just making an LDAPS connection,
> though incurring the extra overhead of the extended operation and result.
> 
> The second oddity is that you're not waiting for the bind to succeed. Try
> checking for that before you call start_tls. Maybe there's an issue with
> there being outstanding results on the socket when we try switching it, so
> waiting for the bind result should address that.
> 
> Cheers,
> 
> Chris
> 