Net::LDAP->root_dse() not returning an error (when LDAP server does)

Hello,

I'm experimenting with "start_tls()" in Net::LDAP. The manual suggests 
to check
the RootDSE for LDAPv3 and TLS extension. Somhow I managed that 
creating the LDAP
object (i.e. connect) suceeds, but $ldap->root_dse() returns undef. 
Interesting to
say that you cannot get much information out of an undef:

May code fragment is this:

sub start_TLS($$)
{
     my ($ldap, $q) = @_;
     my $dse = $ldap->root_dse();

     if ($dse && $dse->supported_version(3) &&
         $dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
         my $msg = $ldap->start_tls('verify' => 'none');

The "$dse &&" is a workaround against an undefined $dse.

I don't know exactly what the problem is, but I suspect that the server 
wants to
have a secured connection before returning the RootDSE. In my case I 
have
OpenLDAP2 configured with

security ssf=1 update_ssf=112 simple_bind=64

# indended use: ensure integrity of reads while ensuring 
confidentiality on
updates and binds

I can get the root DSE if I use the configuration line

security ssf=0 update_ssf=112 simple_bind=64

instead, but I'd wish for root_dse() to report an error on failure, 
because the
LDAP server actually reported an error:

slapd[1163]: conn=11 op=0 SRCH base="" scope=0 deref=2 
filter="(objectClass=*)"
slapd[1163]: conn=11 op=0 SRCH attr=subschemaSubentry namingContexts 
altServer
supportedExtension supportedControl supportedSASLMechanisms 
supportedLDAPVersion
slapd[1163]: conn=11 op=0 SEARCH RESULT tag=101 err=13 nentries=0
text=confidentiality required

Regards,
Ulrich



0
Ulrich
8/12/2004 7:32:37 AM
perl.ldap 1268 articles. 0 followers. Follow

1 Replies
954 Views

Similar Articles

[PageSpeed] 0
Get it on Google Play
Get it on Apple App Store

Hi,

On Thursday 12 August 2004 09:32, Ulrich Windl wrote:
> I'm experimenting with "start_tls()" in Net::LDAP. The manual suggests
> to check
> the RootDSE for LDAPv3 and TLS extension. Somhow I managed that
> creating the LDAP
> object (i.e. connect) suceeds, but $ldap->root_dse() returns undef.
> Interesting to
> say that you cannot get much information out of an undef:
>
> May code fragment is this:
>
> sub start_TLS($$)
> {
>      my ($ldap, $q) = @_;
>      my $dse = $ldap->root_dse();
>
>      if ($dse && $dse->supported_version(3) &&
>          $dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
>          my $msg = $ldap->start_tls('verify' => 'none');
>
> The "$dse &&" is a workaround against an undefined $dse.

The root_dse() method in Net::LDAP return either a Net::LDAP::RootDSE object 
or undef to indicate something went wrong.
Thus the "$dse &&"  is no workaround but the way to detect if an error
occured.

> I don't know exactly what the problem is, but I suspect that the server
> wants to
> have a secured connection before returning the RootDSE. In my case I
> have
> OpenLDAP2 configured with
>
> security ssf=1 update_ssf=112 simple_bind=64
>
> # indended use: ensure integrity of reads while ensuring
> confidentiality on
> updates and binds
>
> I can get the root DSE if I use the configuration line
>
> security ssf=0 update_ssf=112 simple_bind=64
>
> instead, but I'd wish for root_dse() to report an error on failure,
> because the
> LDAP server actually reported an error:
>
> slapd[1163]: conn=11 op=0 SRCH base="" scope=0 deref=2
> filter="(objectClass=*)"
> slapd[1163]: conn=11 op=0 SRCH attr=subschemaSubentry namingContexts
> altServer
> supportedExtension supportedControl supportedSASLMechanisms
> supportedLDAPVersion
> slapd[1163]: conn=11 op=0 SEARCH RESULT tag=101 err=13 nentries=0
> text=confidentiality required

Since root_dse is little more than a search with scope base on the DIT's root
it all depends on your server's configuration whether root_dse() fails or not.

I'd suggest to allow access to the DIT's root to anybody since this entry 
contains information necessary for binding.
And you use it in a similar way: you try to determine if the server supports
LDAPv3 and the start_tls extension.

You may try to simulate root_dse by doing th search in root_des() manually.
Then you get back a message object.

Peter

PS: I my be mislead, but I fear you need to be connected with LDAPv3 in order
   to use start_tls on a connectoion. I am not sure if it is sufficient if the
   server supports LDAPv3 with start_tls when you're bound with LDAPv2.


-- 
Peter Marschall
eMail: peter@adpm.de
0
peter
8/13/2004 6:20:25 PM
Reply: