Menu
▾
▴
perl-ldap-dev
|
From: Bing Du <du...@mo...> - 2002-10-07 20:58:58
|
I'd appreciate anybody providing any hints or pointing me to any online sources that would be helpful for fixing my problem with start_tls. Briefly Net::LDAPS works fine but start_tls does not. More details as shown below. Net::LDAP version 0.251 Net::LDAPS version 0.03 Using start_tls with Net::LDAP: ----- #!/usr/local/bin/perl use Net::LDAP; $dn = "uid=c24b18d4bb4afdf052330678af9a601d, ou=People, dc=tamu, dc=edu"; $pw = 'mypass'; my $ldap_server = 'operator.tamu.edu'; my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect"; my $mesg = $ldcon->bind(dn => $dn,password => $pw); $mesg = $ldcon->start_tls(); print "start_tls: ",$mesg->error,"\n"; $version = $ldcon->version; print "version is $version\n"; $mesg = $ldcon->cipher(); print "cipher is ",$mesg,"\n"; ----- Outputs are: ----- start_tls: Operations error version is 3 cipher is ----- Is there any way to check if TLS is currently established on the connection? Using Net::LDAPS: ----- #!/usr/local/bin/perl use Net::LDAPS; $dn = "uid=c24b18d4bb4afdf052330678af9a601d, ou=People, dc=tamu, dc=edu"; $pw = 'gydb0711db'; my $ldap_server = 'operator.tamu.edu'; my $PEOPLE_BASEDN = "ou=people,dc=tamu,dc=edu"; my $ldcon = new Net::LDAPS($ldap_server) || die "Can't connect"; my $mesg = $ldcon->bind(dn => $dn,password => $pw, version=>3); $version = $ldcon->version; print "version is $version\n"; #$mesg = $ldcon->start_tls(); #print "start_tls: ",$mesg->error,"\n"; $mesg = $ldcon->cipher(); print "cipher is ",$mesg,"\n"; ----- Outputs (as expected) are: ----- version is 3 cipher is EXP1024-RC4-SHA ----- Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix |
|
From: Clif H. <ch...@po...> - 2002-10-08 01:54:26
|
The first thing I would do is make sure your directory server supports TLS operation. Clif Bing Du wrote: > > I'd appreciate anybody providing any hints or pointing me to any online > sources that would be helpful for fixing my problem with > start_tls. Briefly Net::LDAPS works fine but start_tls does not. More > details as shown below. > > Net::LDAP version 0.251 > Net::LDAPS version 0.03 > |
|
From: Bing Du <du...@mo...> - 2002-10-08 14:40:37
|
Now that Net::LDAPS works, does that mean our directory server supports SSL but not necessarily supports TLS? From my understanding after reading the description of Net::LDAPS: "... Note that the use of LDAPS is not recommended, because it is not described by any IETF documents. Instead, you should consider using LDAPv3 with the TLS extension defined in RFC 2830. This will give you the same functionality as LDAPS, but using recognized standards. See the start_tls entry in the Net::LDAP manpage. ..." Start_tls should at least do what Net::LDAPS can do. Please correct me if I'm wrong. Thanks. Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix On Mon, 7 Oct 2002, Clif Harden wrote: > > The first thing I would do is make sure your directory server > supports TLS operation. > > Clif > > > > Bing Du wrote: > > > > I'd appreciate anybody providing any hints or pointing me to any online > > sources that would be helpful for fixing my problem with > > start_tls. Briefly Net::LDAPS works fine but start_tls does not. More > > details as shown below. > > > > Net::LDAP version 0.251 > > Net::LDAPS version 0.03 > > > |
|
From: Bing Du <du...@mo...> - 2002-10-08 16:02:52
|
For testing if our directory supports TLS, I run the following script. ======== #!/usr/local/bin/perl use Net::LDAP; my $ldap_server = 'operator.tamu.edu'; my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect"; my $can_do_start_tls = 0; my $r = $ldcon->root_dse(); foreach ($r->get_value("supportedExtension")) { $can_do_start_tls = 1 if $_ eq "1.3.6.1.4.1.1466.20037"; } print "can_do_start_tls is $can_do_start_tls\n"; exit; ======== The output is 'can_do_start_tls is 1'. Now what? Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix On Tue, 8 Oct 2002, Bing Du wrote: > Now that Net::LDAPS works, does that mean our directory server supports > SSL but not necessarily supports TLS? > > From my understanding after reading the description of Net::LDAPS: > > "... > Note that the use of LDAPS is not recommended, because it is > not described by any IETF documents. Instead, you should > consider using LDAPv3 with the TLS extension defined in RFC > 2830. This will give you the same functionality as LDAPS, > but using recognized standards. See the start_tls entry in > the Net::LDAP manpage. ..." > > Start_tls should at least do what Net::LDAPS can do. Please correct me if > I'm wrong. Thanks. > > Bing > > Bing Du <bi...@ta..., 979-845-9577> > Texas A&M University, CIS, Operating Systems, Unix > > On Mon, 7 Oct 2002, Clif Harden wrote: > > > > > The first thing I would do is make sure your directory server > > supports TLS operation. > > > > Clif > > > > > > > > Bing Du wrote: > > > > > > I'd appreciate anybody providing any hints or pointing me to any online > > > sources that would be helpful for fixing my problem with > > > start_tls. Briefly Net::LDAPS works fine but start_tls does not. More > > > details as shown below. > > > > > > Net::LDAP version 0.251 > > > Net::LDAPS version 0.03 > > > > > > > |
|
From: Chris R. <chr...@ma...> - 2002-10-08 16:14:02
|
On 8/10/02 3:40 pm, Bing Du <du...@mo...> wrote: > Now that Net::LDAPS works, does that mean our directory server supports > SSL but not necessarily supports TLS? > > From my understanding after reading the description of Net::LDAPS: > > "... > Note that the use of LDAPS is not recommended, because it is > not described by any IETF documents. Instead, you should > consider using LDAPv3 with the TLS extension defined in RFC > 2830. This will give you the same functionality as LDAPS, > but using recognized standards. See the start_tls entry in > the Net::LDAP manpage. ..." > > Start_tls should at least do what Net::LDAPS can do. Please correct me if > I'm wrong. Thanks. At the protocol level, they're rather different. StartTLS is an LDAPv3 extended operation that servers must explicitly support. Because you can issue StartTLS at an arbitrary point in your connection to the server, it isn't the same as making an SSL connection to a given port. Now one thing I noticed from your original snippet is: my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect"; my $mesg = $ldcon->bind(dn => $dn,password => $pw); $mesg = $ldcon->start_tls(); print "start_tls: ",$mesg->error,"\n"; It is unusual to do the bind in the clear, and then turn on TLS afterwards. That might be what you wanted, but normally you'd turn on TLS before issuing any bind. That would be more similar to just making an LDAPS connection, though incurring the extra overhead of the extended operation and result. The second oddity is that you're not waiting for the bind to succeed. Try checking for that before you call start_tls. Maybe there's an issue with there being outstanding results on the socket when we try switching it, so waiting for the bind result should address that. Cheers, Chris |
|
From: Bing Du <du...@mo...> - 2002-10-08 16:50:11
|
Thanks Chris. Actually I did try doing start_tls before bind after my first post. But it was not getting any better. ===== #!/usr/local/bin/perl use Net::LDAP; $dn = "uid=c24b18d4bb4afdf052330678af9a601d, ou=People, dc=tamu, dc=edu"; $pw = 'mypass'; my $ldap_server = 'operator.tamu.edu'; my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect"; $mesg = $ldcon->start_tls(); print "start_tls return code ",$mesg->code,"-",$mesg->error,"\n"; $mesg = $ldcon->bind(dn => $dn,password => $pw); if ($mesg->code) { print $mesg->code,"-",$mesg->error,"\n"; } else { print "bind return code ",$mesg->code,"-",$mesg->error,"\n"; } ===== The result was: ====== start_tls return code 1-Operations error 84-decode error 16<=>30 at /usr/local/perl/5.6.1/lib/site_perl/5.6.1/Convert/ASN 1/_decode.pm line 108. ====== If I removed start_tls, bind was ok. Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix On Tue, 8 Oct 2002, Chris Ridd wrote: > On 8/10/02 3:40 pm, Bing Du <du...@mo...> wrote: > > > Now that Net::LDAPS works, does that mean our directory server supports > > SSL but not necessarily supports TLS? > > > > From my understanding after reading the description of Net::LDAPS: > > > > "... > > Note that the use of LDAPS is not recommended, because it is > > not described by any IETF documents. Instead, you should > > consider using LDAPv3 with the TLS extension defined in RFC > > 2830. This will give you the same functionality as LDAPS, > > but using recognized standards. See the start_tls entry in > > the Net::LDAP manpage. ..." > > > > Start_tls should at least do what Net::LDAPS can do. Please correct me if > > I'm wrong. Thanks. > > At the protocol level, they're rather different. > > StartTLS is an LDAPv3 extended operation that servers must explicitly > support. Because you can issue StartTLS at an arbitrary point in your > connection to the server, it isn't the same as making an SSL connection to a > given port. > > Now one thing I noticed from your original snippet is: > > my $ldcon = new Net::LDAP($ldap_server,version=>3) || die "Can't connect"; > > my $mesg = $ldcon->bind(dn => $dn,password => $pw); > > $mesg = $ldcon->start_tls(); > print "start_tls: ",$mesg->error,"\n"; > > It is unusual to do the bind in the clear, and then turn on TLS afterwards. > That might be what you wanted, but normally you'd turn on TLS before issuing > any bind. That would be more similar to just making an LDAPS connection, > though incurring the extra overhead of the extended operation and result. > > The second oddity is that you're not waiting for the bind to succeed. Try > checking for that before you call start_tls. Maybe there's an issue with > there being outstanding results on the socket when we try switching it, so > waiting for the bind result should address that. > > Cheers, > > Chris > |
|
From: Clif H. <cl...@go...> - 2002-10-08 18:09:20
|
Since you have the TLS extension in your server, it may be that you have to use the vendor's api to use TLS. That is the situation in our case, our directory supports TLS but we have to use the vendors api(s) to get it to work. Regards, Clif On Tue, Oct 08, 2002 at 11:50:07AM -0500, Bing Du wrote: > Thanks Chris. Actually I did try doing start_tls before bind after my > first post. But it was not getting any better. > > ===== Stuff removed. > > > > It is unusual to do the bind in the clear, and then turn on TLS afterwards. > > That might be what you wanted, but normally you'd turn on TLS before issuing > > any bind. That would be more similar to just making an LDAPS connection, > > though incurring the extra overhead of the extended operation and result. > > > > The second oddity is that you're not waiting for the bind to succeed. Try > > checking for that before you call start_tls. Maybe there's an issue with > > there being outstanding results on the socket when we try switching it, so > > waiting for the bind result should address that. > > > > Cheers, > > > > Chris > > > |
|
From: Chris R. <chr...@ma...> - 2002-10-08 18:36:08
|
On 8/10/02 5:50 pm, Bing Du <du...@mo...> wrote: > The result was: > ====== > start_tls return code 1-Operations error > 84-decode error 16<=>30 at > /usr/local/perl/5.6.1/lib/site_perl/5.6.1/Convert/ASN > 1/_decode.pm line 108. Interesting. It looks a bit like we're getting unexpected BER back from the server. Or we're sending the server something bad. Can you set $ldapcon->debug(12) before calling start_tls and send us the results? Alternatively, what version of the LDAP.pm file do you have? An error did slip in to start_tls a while ago relating to the message we were constructing (BER) to send to the server. We fixed it in version 1.32 of Net::LDAP.pm, and I see Graham's got another start_tls fix in version 1.34 of the same file. Cheers, Chris |
|
From: Bing Du <du...@mo...> - 2002-10-08 20:56:41
|
% perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"'
0.251
So I guess we need to get a latest version of Net::LDAP?
==============
Net::LDAP=HASH(0x2e250) sending:
0000 29: SEQUENCE {
0002 1: INTEGER = 1
0005 24: [APPLICATION 23] {
0007 22: [CONTEXT 0]
0009 : 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
1.3.6.1.4.1.146
6
0019 : 2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
001F : }
001F : }
Net::LDAP=HASH(0x2e250) received:
0000 12: SEQUENCE {
0002 1: INTEGER = 1
0005 7: [APPLICATION 24] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
start_tls return code 1-Operations error
Net::LDAP=HASH(0x2e250) sending:
0000 86: SEQUENCE {
0002 1: INTEGER = 2
0005 81: [APPLICATION 0] {
0007 1: INTEGER = 3
000A 64: STRING = 'uid=c24b18d4bb4afdf052330678af9a601d, ou=People,
dc=tam
u, dc=edu'
004C 10: [CONTEXT 0]
004E : 67 79 64 62 30 37 31 31 64 62 __ __ __ __ __ __
gydb0711db
0058 : }
0058 : }
Net::LDAP=HASH(0x2e250) received:
0000 3: [UNIVERSAL 22]
0002 : 01 00 04 __ __ __ __ __ __ __ __ __ __ __ __ __ ...
84-decode error 16<=>30 at
/usr/local/perl/5.6.1/lib/site_perl/5.6.1/Convert/ASN
1/_decode.pm line 108.
================
Bing
Bing Du <bi...@ta..., 979-845-9577>
Texas A&M University, CIS, Operating Systems, Unix
On Tue, 8 Oct 2002, Chris Ridd wrote:
> On 8/10/02 5:50 pm, Bing Du <du...@mo...> wrote:
> > The result was:
> > ======
> > start_tls return code 1-Operations error
> > 84-decode error 16<=>30 at
> > /usr/local/perl/5.6.1/lib/site_perl/5.6.1/Convert/ASN
> > 1/_decode.pm line 108.
>
> Interesting. It looks a bit like we're getting unexpected BER back from the
> server. Or we're sending the server something bad. Can you set
> $ldapcon->debug(12) before calling start_tls and send us the results?
>
> Alternatively, what version of the LDAP.pm file do you have?
>
> An error did slip in to start_tls a while ago relating to the message we
> were constructing (BER) to send to the server. We fixed it in version 1.32
> of Net::LDAP.pm, and I see Graham's got another start_tls fix in version
> 1.34 of the same file.
>
> Cheers,
>
> Chris
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
>
|
|
From: Chris R. <chr...@ma...> - 2002-10-08 21:05:22
|
On 8/10/02 9:56 pm, Bing Du <du...@mo...> wrote: > % perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"' > 0.251 That's the overall package version, not the version of the file in CVS. I'm not sure how the two are related... Maybe Graham can remember? Cheers, Chris |
|
From: Graham B. <gb...@po...> - 2002-10-08 21:17:57
|
On Tue, Oct 08, 2002 at 10:05:44PM +0100, Chris Ridd wrote: > On 8/10/02 9:56 pm, Bing Du <du...@mo...> wrote: > > > % perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"' > > 0.251 > > That's the overall package version, not the version of the file in CVS. I'm > not sure how the two are related... Maybe Graham can remember? $VERSION is updated manually whenever a release is done. The latest from CPAN is 0.26 Graham. |
|
From: Bing Du <du...@mo...> - 2002-10-08 21:39:27
|
How should I tell which version of LDAP.pm we have then? Did the debug info indicate the problem you were talking about that had been fixed in the higher versions? Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix On Tue, 8 Oct 2002, Chris Ridd wrote: > On 8/10/02 9:56 pm, Bing Du <du...@mo...> wrote: > > > % perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"' > > 0.251 > > That's the overall package version, not the version of the file in CVS. I'm > not sure how the two are related... Maybe Graham can remember? > > Cheers, > > Chris > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > |
|
From: Bing Du <du...@mo...> - 2002-10-09 19:44:54
|
Some new discoveries. I just tested the same script on another machine which has the same version of SunOS (5.8) and the same version of Perl (5.6.1), but has a bit lower version of Net::LDAP (0.25). Start_tls worked! So now the question is why it works with 0.25 but not 0.251? Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix On Tue, 8 Oct 2002, Chris Ridd wrote: > On 8/10/02 9:56 pm, Bing Du <du...@mo...> wrote: > > > % perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"' > > 0.251 > > That's the overall package version, not the version of the file in CVS. I'm > not sure how the two are related... Maybe Graham can remember? > > Cheers, > > Chris > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > |
|
From: Graham B. <gb...@po...> - 2002-10-09 19:54:27
|
I cannot remember exact version numbers. But at one point Net::LDAP had a work-around for a bug in IO::Socket::SSL, but when that bug was fixed, the work-around caused problems and it was then removed. What IO::Socket::SSL version do you have on each machine, and is it the latest ? Graham. On Wed, Oct 09, 2002 at 02:44:42PM -0500, Bing Du wrote: > Some new discoveries. I just tested the same script on another machine > which has the same version of SunOS (5.8) and the same version of Perl > (5.6.1), but has a bit lower version of Net::LDAP (0.25). Start_tls > worked! So now the question is why it works with 0.25 but not 0.251? > > Bing > > Bing Du <bi...@ta..., 979-845-9577> > Texas A&M University, CIS, Operating Systems, Unix > > On Tue, 8 Oct 2002, Chris Ridd wrote: > > > On 8/10/02 9:56 pm, Bing Du <du...@mo...> wrote: > > > > > % perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"' > > > 0.251 > > > > That's the overall package version, not the version of the file in CVS. I'm > > not sure how the two are related... Maybe Graham can remember? > > > > Cheers, > > > > Chris > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > Welcome to geek heaven. > > http://thinkgeek.com/sf > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf |
|
From: Bing Du <du...@mo...> - 2002-10-10 14:50:39
|
On the machine where start_tls works: SunOS 5.8 Perl 5.6.1 Net::LDAP 0.25 IO::Socket::SSL 0.80. On the machine where start_tls does not work: SunOS 5.8 Perl 5.6.1 Net::LDAP 0.251 IO::Socket::SSL 0.81. We've just upgraded Net::LDAP from 0.251 to 0.26. Start_tls works fine now. Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix On Wed, 9 Oct 2002, Graham Barr wrote: > I cannot remember exact version numbers. But at one point Net::LDAP had a work-around > for a bug in IO::Socket::SSL, but when that bug was fixed, the work-around caused > problems and it was then removed. > > What IO::Socket::SSL version do you have on each machine, and is it the latest ? > > Graham. > > On Wed, Oct 09, 2002 at 02:44:42PM -0500, Bing Du wrote: > > Some new discoveries. I just tested the same script on another machine > > which has the same version of SunOS (5.8) and the same version of Perl > > (5.6.1), but has a bit lower version of Net::LDAP (0.25). Start_tls > > worked! So now the question is why it works with 0.25 but not 0.251? > > > > Bing > > > > Bing Du <bi...@ta..., 979-845-9577> > > Texas A&M University, CIS, Operating Systems, Unix > > > > On Tue, 8 Oct 2002, Chris Ridd wrote: > > > > > On 8/10/02 9:56 pm, Bing Du <du...@mo...> wrote: > > > > > > > % perl -MNet::LDAP -e 'print $Net::LDAP::VERSION,"\n"' > > > > 0.251 > > > > > > That's the overall package version, not the version of the file in CVS. I'm > > > not sure how the two are related... Maybe Graham can remember? > > > > > > Cheers, > > > > > > Chris > > > > > > > > > > > > ------------------------------------------------------- > > > This sf.net email is sponsored by:ThinkGeek > > > Welcome to geek heaven. > > > http://thinkgeek.com/sf > > > > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by:ThinkGeek > > Welcome to geek heaven. > > http://thinkgeek.com/sf > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X