AW: start_tls using required

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Hi!
>
> I have a question concerning start_tls.
> When I use verify=>'required' and my LDAP Server does not know the
start_tls
> extension, it sends me a "unsupported extended operation"-error as
> LDAPResult with errornumber 2 (at least Sun DirServ and OpenLDAP does). As
> far as I understood, in this case the following search request should not
be
> started but it looks like the resultCode 2 is looked at as success.
> By the way, shouldn't a not supported extension result in a resultCode of
> 12?
>
> Here is my code:
> use Net::LDAP;
> $ldap = Net::LDAP->new('localhost', version => 3, port => 389) or die
"$@";
> $ldap->debug(12);
> $ldap->start_tls(verify => 'required', cafile => 'somefile') or die "$@";
> ...
>
>
>
> And here the response to my start_tls from debug:
>
> 42: SEQUENCE {
> 1:  INTEGER=1
> 37:  [APPLICATION 24] {
> 1:    ENUM = 2
> 0:    STRING = ''
> 30:    STRING = 'unsupported extended operation'
> :  }
> : }
>
>
> Thanks!
> Florian

The start_tls code returns (should return!) an error whenever the result
message it got back has a non-zero code value ("return $mesg if
$mesg->code"). Is this not happening?

According to RFC 2252 if the server doesn't recognize the request name, it
MUST return a protocol error. Unavailable critical extension is reserved for
LDAP controls which are marked as critical but which the server doesn't
recognize (or is unwilling to obey for whatever reason).

So I'd say the server's returning the right sort of result iff we're
screwing up the initial extended operation. What does that look like if you
turn on debugging?

Also check you've got the latest & greatest version of LDAP.pm, as some bugs
crept in to start_tls which have only recently been fixed.

Cheers,

Chris

I'm using perl-ldap 0.26 the ldap.pm file says something about version 1.10

The LDAP Server does return a protocal error, I posted the errorcode above.
It's errorcode "2", which is called "protocolError" in RFC 2252. Here is my
whole program and the complete debug:

use Net::LDAP;
$ldap = Net::LDAP->new('localhost',version => 3, port => 389 ) or die "$@";
$ldap->debug(12);
$ldap->start_tls(verify=> 'required', cafile=>'/somefile.pem') or die "$@";
$ldap->bind (dn => "uid=flh,ou=MV,ou=People,o=architur",
              password => "test");
 $mesg = $ldap->search (  # perform a search
                        base   => "o=architur",
                        filter => "(&(sn=aName) (givenname=Florian))",
						attrs => ['cn ', 'uid '],
                        timelimit => "10"
                       );
 if($mesg->code) {die $mesg->error;}
 foreach $entry ($mesg->all_entries) { $entry->dump; }
 $ldap->unbind;   # take down session

Net::LDAP=HASH(0x80f46b0) sending:
0000   29: SEQUENCE {
0002    1:   INTEGER = 1
0005   24:   [APPLICATION 23] {
0007   22:     [CONTEXT 0]
0009     :       31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
1.3.6.1.4.1.1466
0019     :       2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
001F     :   }
001F     : }
Net::LDAP=HASH(0x80f46b0) received:
0000   42: SEQUENCE {
0002    1:   INTEGER = 1
0005   37:   [APPLICATION 24] {
0007    1:     ENUM = 2
000A    0:     STRING = ''
000C   30:     STRING = 'unsupported extended operation'
002C     :   }
002C     : }
Net::LDAP=HASH(0x80f46b0) sending:
0000   50: SEQUENCE {
0002    1:   INTEGER = 2
0005   45:   [APPLICATION 0] {
0007    1:     INTEGER = 3
000A   34:     STRING = 'uid=flh,ou=MV,ou=People,o=architur'
002E    4:     [CONTEXT 0]
0030     :       74 65 73 74 __ __ __ __ __ __ __ __ __ __ __ __ test
0034     :   }
0034     : }
Net::LDAP=HASH(0x80f46b0) received:
0000   12: SEQUENCE {
0002    1:   INTEGER = 2
0005    7:   [APPLICATION 1] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Net::LDAP=HASH(0x80f46b0) sending:
0000   86: SEQUENCE {
0002    1:   INTEGER = 3
0005   81:   [APPLICATION 3] {
0007   10:     STRING = 'o=architur'
0013    1:     ENUM = 2
0016    1:     ENUM = 2
0019    1:     INTEGER = 0
001C    1:     INTEGER = 10
001F    1:     BOOLEAN = FALSE
0022   39:     [CONTEXT 0] {
0024   15:       [CONTEXT 3] {
0026    2:         STRING = 'sn'
002A    9:         STRING = 'aName'
0035     :       }
0035   20:       [CONTEXT 3] {
0037    9:         STRING = 'givenname'
0042    7:         STRING = 'Florian'
004B     :       }
004B     :     }
004B   11:     SEQUENCE {
004D    3:       STRING = 'cn '
0052    4:       STRING = 'uid '
0058     :     }
0058     :   }
0058     : }
Net::LDAP=HASH(0x80f46b0) received:
0000   86: SEQUENCE {
0002    1:   INTEGER = 3
0005   81:   [APPLICATION 4] {
0007   34:     STRING = 'uid=flh,ou=MV,ou=People,o=architur'
002B   43:     SEQUENCE {
002D   26:       SEQUENCE {
002F    3:         STRING = 'cn '
0034   19:         SET {
0036   17:           STRING = 'Florian aName'
0049     :         }
0049     :       }
0049   13:       SEQUENCE {
004B    4:         STRING = 'uid '
0051    5:         SET {
0053    3:           STRING = 'flh'
0058     :         }
0058     :       }
0058     :     }
0058     :   }
0058     : }
Net::LDAP=HASH(0x80f46b0) received:
0000   12: SEQUENCE {
0002    1:   INTEGER = 3
0005    7:   [APPLICATION 5] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Net::LDAP=HASH(0x80f46b0) sending:
0000    5: SEQUENCE {
0002    1:   INTEGER = 4
0005    0:   [APPLICATION 2]
0007     : }