perl-ldap-dev

Problem with Net::LDAPS

[Sean E. <Sea...@by...>]

First, let me say I'm not a very good perl programmer so my code may
look like a hack, but I have a project that I'm working on that I can't
quite figure out.  I'm trying to make a web page where people can set
their Active Directory password.  I am using a Linux box to run my perl
script on.  I've tried using Net::LDAPS but every time it gets to that
line in the script (the one where I do $ldaps =3D new Net::LDAPS etc), =
it
says file not found.  This doesn't make any sense to me because LDAPS.pm
is in the same place as LDAP.pm and it works fine.  Here is the code
I've been trying:
=20
#!/usr/bin/perl -w
local $^W =3D 0;
no strict;
require Net::SSLeay;
Net::SSLeay::randomize('/dev/urandom');
require Net::LDAPS;
=20
$ldap =3D new Net::LDAPS('ldapserver',
        verify =3D> 'require',
        certpath =3D> '/home/sean/mycert.cer',
        port =3D> 636) or die $!;
=20
The only thing I can find is that LDAP.pm is in two places: =20
=20
/usr/lib/perl5/site_perl/5.005/Net/LDAP.pm
/usr/lib/perl5/site_perl/5.005/Bundle/Net/LDAP.pm

While LDAPS.pm is only in one:
=20
/usr/lib/perl5/site_perl/5.005/Net/LDAPS.pm

I doubt this is the problem, though, because if I change it from
Net::LDAPS to Net::LDPS (just to see) it gives me a different error.
Also, I exported the certificate from the Win2K server and I'm pointed
to it in the code above.  Is that the right thing to do?  Do I need to
do that at all?
=20
I've used Net::LDAP quite a bit, but never Net::LDAPS.  Can anyone help
me?
=20
Sean Eckton
Brigham Young University
=20
=20
=20

Re: Problem with Net::LDAPS

[Chris R. <chr...@me...>]

Sean Eckton <Sea...@by...> wrote:
> First, let me say I'm not a very good perl programmer so my code may
> look like a hack, but I have a project that I'm working on that I can't
> quite figure out.  I'm trying to make a web page where people can set
> their Active Directory password.  I am using a Linux box to run my perl
> script on.  I've tried using Net::LDAPS but every time it gets to that
> line in the script (the one where I do $ldaps = new Net::LDAPS etc), it
> says file not found.  This doesn't make any sense to me because LDAPS.pm
> is in the same place as LDAP.pm and it works fine.  Here is the code
> I've been trying:
>  
> #!/usr/bin/perl -w
> local $^W = 0;
> no strict;
> require Net::SSLeay;
> Net::SSLeay::randomize('/dev/urandom');
> require Net::LDAPS;
>  
> $ldap = new Net::LDAPS('ldapserver',
>         verify => 'require',
>         certpath => '/home/sean/mycert.cer',
>         port => 636) or die $!;
>  
> The only thing I can find is that LDAP.pm is in two places:  
>  
> /usr/lib/perl5/site_perl/5.005/Net/LDAP.pm
> /usr/lib/perl5/site_perl/5.005/Bundle/Net/LDAP.pm
> 
> While LDAPS.pm is only in one:
>  
> /usr/lib/perl5/site_perl/5.005/Net/LDAPS.pm
> 
> I doubt this is the problem, though, because if I change it from
> Net::LDAPS to Net::LDPS (just to see) it gives me a different error.
> Also, I exported the certificate from the Win2K server and I'm pointed
> to it in the code above.  Is that the right thing to do?  Do I need to
> do that at all?
>  
> I've used Net::LDAP quite a bit, but never Net::LDAPS.  Can anyone help
> me?
>  
> Sean Eckton
> Brigham Young University
>  
>  
>  

The stuff from 'local $^W = 0;' to 'require Net::LDAPS;' is only needed to
avoid some annoying bugs in old versions of Net::SSLeay. Nowadays, you
should just be able to say 'use Net::LDAPS;'. In fact, your 'local $^W =
0;' line is turning off warnings in the entire script, which probably isn't
helpful.

The "file not found" error might be referring to your certificate - it may
be in the wrong format or something.

Try commenting out the two lines:

        verify => 'require',
        certpath => '/home/sean/mycert.cer',

and see if that makes a difference. It will mean that the connection won't
be as secure (because you're not verifying the server you're talking to)
but it'll give us more clues about what's failing.

What's the exact error message that gets reported?

Cheers,

Chris

Re: Problem with Net::LDAPS

[Norbert K. <nor...@da...>]

--On Mittwoch, 6. M=E4rz 2002 15:55 +0000 Chris Ridd=20
<chr...@me...> wrote:

> The "file not found" error might be referring to your certificate - it =
may
> be in the wrong format or something.
>
> Try commenting out the two lines:
>
>         verify =3D> 'require',
>         certpath =3D> '/home/sean/mycert.cer',

IIRC Net_SSLeay (as OpenSSL) expects certificates to be in PEM (ascii)=20
format and DER (binary). Convert with
openssl x509 -inform der -in mycert.cer -out mycert.pem


To fix up passwords for ADs UnicodePwd attribute syntax, you'll need=20
something like:

use Unicode::String qw(latin1 utf16);
sub MakeUnicodePwd($)
{
    my $u =3D latin1("\"".$_[0]."\"");
    $u->byteswap();
    return $u->ucs2;
}

--=20
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 T=FCbingen                           email: nor...@da...
Germany                                  web:   http://www.daasi.de

Re: Problem with Net::LDAPS

[Chris R. <chr...@me...>]

Norbert Klasen <nor...@da...> wrote:
>=20
>=20
> --On Mittwoch, 6. M=E4rz 2002 15:55 +0000 Chris Ridd
> <chr...@me...> wrote:
>=20
>> The "file not found" error might be referring to your certificate - it
>> may be in the wrong format or something.
>>=20
>> Try commenting out the two lines:
>>=20
>>         verify =3D> 'require',
>>         certpath =3D> '/home/sean/mycert.cer',
>=20
> IIRC Net_SSLeay (as OpenSSL) expects certificates to be in PEM (ascii)
> format and DER (binary). Convert with openssl x509 -inform der -in
> mycert.cer -out mycert.pem

That's correct. There's a note about the required format in the Net::LDAPS
manpage, and assuming that the extract from Microsoft's certificate store
saved the cert in DER format, that's a good way to convert the cert for
OpenSSL's use.

There probably should be a HOWTO somewhere describing how to get certs and
keys out of various systems (eg MS, Netscape) and into OpenSSL, as this
always causes problems for people. This document wouldn't be specific to
LDAPS of course.=20

Cheers,

Chris