[prev in list] [next in list] [prev in thread] [next in thread]
List: perl-ldap-dev
Subject: Re: userpassword
From: Chris Ridd <chris.ridd () messagingdirect ! com>
Date: 2001-07-05 11:00:12
[Download RAW message or body]
Graham Barr <gbarr@pobox.com> wrote:
> On Wed, Jul 04, 2001 at 10:35:11AM +0100, Graham Barr wrote:
>> On Wed, Jul 04, 2001 at 10:26:50AM +0100, Chris Ridd wrote:
>> > Graham Barr <gbarr@pobox.com> wrote:
>> > > On Wed, Jul 04, 2001 at 09:58:37AM +0100, Chris Ridd wrote:
>> > >> Graham Barr <gbarr@pobox.com> wrote:
>> > >> > On Wed, Jul 04, 2001 at 09:12:01AM +0100, Chris Ridd wrote:
>> > >> IIRC, IO::Socket::SSL needs to support send() and recv(), which I
>> > >> imagined would mean it (and by extension Net::SSLeay) needed
>> > >> rewriting to use openssl's non-blocking I/O.
>> > >
>> > > Is this because Net::LDAP currently uses send() and recv() ?
>> >
>> > Yes. I thought it was doing that in case we wanted to support CLDAP (a
>> > version of LDAP over UDP) at some point.
>>
>> There are always other ways to solve that. And right now I would
>> rather support LDAPS than CLDAP
>>
>> > > Is the Net::LDAPS in CVS upto date ?
>> >
>> > Yes.
>>
>> OK, I will make the changes.
>
> OK, I have commited the changes to CVS, please check that I have not
> broken Net::LDAPS
Minor damage: you need to create an IO::Socket::SSL instead of an
IO::Socket::INET in the new _connect method in LDAPS.pm :-)
> It seems to ne we can add this to Net::LDAP
>
> sub start_tls {
> my $ldap = shift;
>
> require IO::Socket::SSL;
> IO::Socket::SSL::startTLS($ldap->socket);
> }
>
> yes ?
>
>
> Graham.
Not quite. You need to issue an extended LDAP operation to indicate you're
going to start the TLS handshake, so it needs to be something like this:
sub startTLS {
my $ldap = shift;
my $args = &_options;
if ($ldap->version < 3) {
require Carp;
Carp::croak("StartTLS not supported before LDAPv3");
}
require Net::LDAP::Extension;
my $mesg = Net::LDAP::Extension->new($ldap);
$mesg->encode(
extendedReq => {
requestName => "1.3.6.1.4.1.1466.20037",
}
);
$ldap->_sendmesg($mesg);
$mesg->sync();
if ($mesg->code) {
require Carp;
Carp::croak("LDAP_OPERATIONS_ERROR $@");
}
require IO::Socket::SSL;
IO::Socket::SSL::context_init($args);
IO::Socket::SSL::socketToSSL($ldap->socket);
}
*However* that returns an I/O error when you next try to call _sendmesg on
the socket, even though the socket looks OK:
DB<1> x $ldap->socket
0 IO::Socket::SSL=GLOB(0x866b998)
-> *Symbol::GEN0
FileHandle({*Symbol::GEN0}) => fileno(3)
... same fd as before the socketToSSL, which is good.
The mechanism to select the ciphers and verify mode etc need some
improvement too - perhaps the logic in Net::LDAPS to set this stuff should
go into LDAP.pm
I'm not sure calling context_init() is the right thing to do here either;
it looks awfully 'global' in scope.
We should also override startTLS in LDAPS to prevent someone from calling
it on an LDAPS socket :-)
Cheers,
Chris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic