Re: userpassword

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Graham Barr <gb...@po...> wrote:
> On Wed, Jul 04, 2001 at 10:35:11AM +0100, Graham Barr wrote:
>> On Wed, Jul 04, 2001 at 10:26:50AM +0100, Chris Ridd wrote:
>> > Graham Barr <gb...@po...> wrote:
>> > > On Wed, Jul 04, 2001 at 09:58:37AM +0100, Chris Ridd wrote:
>> > >> Graham Barr <gb...@po...> wrote:
>> > >> > On Wed, Jul 04, 2001 at 09:12:01AM +0100, Chris Ridd wrote:
>> > >> IIRC, IO::Socket::SSL needs to support send() and recv(), which I
>> > >> imagined would mean it (and by extension Net::SSLeay) needed
>> > >> rewriting to use openssl's non-blocking I/O.
>> > > 
>> > > Is this because Net::LDAP currently uses send() and recv() ?
>> > 
>> > Yes. I thought it was doing that in case we wanted to support CLDAP (a
>> > version of LDAP over UDP) at some point.
>> 
>> There are always other ways to solve that. And right now I would
>> rather support LDAPS than CLDAP
>> 
>> > > Is the Net::LDAPS in CVS upto date ?
>> > 
>> > Yes.
>> 
>> OK, I will make the changes.
> 
> OK, I have commited the changes to CVS, please check that I have not
> broken Net::LDAPS

Minor damage: you need to create an IO::Socket::SSL instead of an
IO::Socket::INET in the new _connect method in LDAPS.pm :-)

> It seems to ne we can add this to Net::LDAP
> 
> sub start_tls {
>   my $ldap = shift;
> 
>   require IO::Socket::SSL;
>   IO::Socket::SSL::startTLS($ldap->socket);
> }
> 
> yes ?
> 
> 
> Graham.

Not quite. You need to issue an extended LDAP operation to indicate you're
going to start the TLS handshake, so it needs to be something like this:

sub startTLS {
    my $ldap = shift;
    my $args = &_options;
    if ($ldap->version < 3) {
	require Carp;
	Carp::croak("StartTLS not supported before LDAPv3");
    }
    require Net::LDAP::Extension;
    my $mesg = Net::LDAP::Extension->new($ldap);
    $mesg->encode(
                  extendedReq => {
                      requestName => "1.3.6.1.4.1.1466.20037",
                  }
                 );
    $ldap->_sendmesg($mesg);
    $mesg->sync();
    if ($mesg->code) {
	require Carp;
	Carp::croak("LDAP_OPERATIONS_ERROR $@");
    }
    require IO::Socket::SSL;
    IO::Socket::SSL::context_init($args);
    IO::Socket::SSL::socketToSSL($ldap->socket);
}

*However* that returns an I/O error when you next try to call _sendmesg on
the socket, even though the socket looks OK:

  DB<1> x $ldap->socket
0  IO::Socket::SSL=GLOB(0x866b998)
   -> *Symbol::GEN0
         FileHandle({*Symbol::GEN0}) => fileno(3)

... same fd as before the socketToSSL, which is good.

The mechanism to select the ciphers and verify mode etc need some
improvement too - perhaps the logic in Net::LDAPS to set this stuff should
go into LDAP.pm

I'm not sure calling context_init() is the right thing to do here either;
it looks awfully 'global' in scope.

We should also override startTLS in LDAPS to prevent someone from calling
it on an LDAPS socket :-)

Cheers,

Chris