1
votes

I am trying to connect to an LDAP server using the Net::LDAPS module. I am passing the right username, password and capath to it. The same code with all the modules in the same version works on one of my other machines. But on this particular machine I see this error.

The sample code I am working with :

my $ad_host = 'XYZ';
my $ad_port = 636;
my $ad_user = 'ABC';
my $ad_pass = '****';
my $ca_path = '<path to ca cert>';

my $ldap = Net::LDAPS->new(
                $ad_host,
                port   => $ad_port,
                verify => 'require',
                capath => $ca_path
);

Is it a known bug in the LDAPS module? Or am I missing out something apparent.

The debug logs:

DEBUG: .../IO/Socket/SSL.pm:179: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:1427: new ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:309: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:311: socket connected
DEBUG: .../IO/Socket/SSL.pm:324: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:354: set socket to non-blocking to enforce  timeout=120
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1175: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:373: fatal SSL error: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1462: free ctx 21295632 open=21295632
DEBUG: .../IO/Socket/SSL.pm:1465: OK free ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:1175: IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)

Versions of the modules I am using :

...:~/test_perl$ perlmodver Net::LDAPS 0.05

...:~/test_perl$ perlmodver Net::LDAP 0.39

...:~/test_perl$ perlmodver IO::Socket::SSL 1.18

2
Can you connect to your server using ldapsearch? - Chankey Pathak
You are using 8 year old versions of the modules. There are current versions for all of these modules. Have you tried these? - Steffen Ullrich
@ChankeyPathak I could connect to port 636 on my AD machine with telnet. Also, the same perl scripts run perfectly on a similar machine with all the modules being the same. - user1726707
@SteffenUllrich I could successfully query the AD with the same scripts on a similar machine. The only difference between the two machines is the machine on which the script is running runs on lucid and this machine runs on trusty. Does it have anything to do with this error? - user1726707
@user1726707: if the module versions are the same your are obviously using your own Perl (or at least some modules, which predate both trusty and lucid in several years). But you might rely on the underlying Net::SSLeay and openssl library which ships with the system and accounts for the differences. - Steffen Ullrich

2 Answers

1
votes

If you look at the error you can see that certificate verification failed.

SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

You can either correct the certificate or ignore certificate verification by passing

verify => 'none'

On a sidenote, you can also use Net::LDAP if you pass ldaps:// as a prefix to $ad_host.

$ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
                        verify => 'require',
                        capath => $ca_path);

Oops just noticed that you said

The same code with all the modules in the same version works on one of my other machines. But on this particular machine I see this error.

Then this looks like a configuration issue. Can you connect to your server using ldapsearch?

0
votes

This issue is resolved.

There are 2 ways to solve this :

Bypass the verification (Not recommended)

If you are using the "verify" attribute like the one in my code, you just have to comment it out. It will bypass the cert verification.

Add a soft link to the certificates

Maybe it is a behavior specific to trusty, because on lucid it was working fine. So, you need to create a soft link to all your pem files and place it in the CA Path. You can do this by running

ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0