Hello,
I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection. Does anybody know if that's even supported and if so, how I've to setup that?
Andreas
On 8/25/21 12:46 PM, A. Schulze wrote:
I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection. Does anybody know if that's even supported and if so, how I've to setup that?
What did you try and what failed?
Below here I assume you're probably struggling with cert validation.
Never used NET::LDAPapi myself but AFAICS it's a C module wrapper using libldap. libldap used ldap.conf by default and/or the TLS-related env vars.
Thus I'd experiment by setting env var before starting the process:
LDAPTLS_CACERT=/path/to/trusted-ca-certs.pem
Not sure whether NET::LDAPapi is still maintained though. Probably Quanah knows more about it.
Ciao, Michael.
--On Wednesday, August 25, 2021 1:46 PM +0200 "A. Schulze" sca@andreasschulze.de wrote:
Hello,
I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection. Does anybody know if that's even supported and if so, how I've to setup that?
Yes, it's fully supported and has been as long as I've used it (about 2 decades now). For ldaps:// connections, you need to pass in an ldaps:/// URI. It will pull its defaults for TLS like any other libldap linked ldap application.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am 25.08.21 um 17:43 schrieb Quanah Gibson-Mount:
I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection. Does anybody know if that's even supported and if so, how I've to setup that?
Yes, it's fully supported and has been as long as I've used it (about 2 decades now). For ldaps:// connections, you need to pass in an ldaps:/// URI. It will pull its defaults for TLS like any other libldap linked ldap application.
Hello,
thanks Quanah, for that clarification. I only found [1] that promise TLS-Support when build with a "Mozilla SDK" I also checked I used ldaps:/// (with three /). LDAPTLS_CACERT was also set, as Michael suggested.
Today I tried to replace Net::LDAPapi with Net::LDAP. Changing the code was not that big thing and at a first try the service works. So I'm fine for now and suggest a complete application rewrite to a more modern architecture sometimes next year.
Andreas
--On Thursday, August 26, 2021 8:57 PM +0200 "A. Schulze" sca@andreasschulze.de wrote:
Am 25.08.21 um 17:43 schrieb Quanah Gibson-Mount:
I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection. Does anybody know if that's even supported and if so, how I've to setup that?
Yes, it's fully supported and has been as long as I've used it (about 2 decades now). For ldaps:// connections, you need to pass in an ldaps:/// URI. It will pull its defaults for TLS like any other libldap linked ldap application.
Hello,
thanks Quanah, for that clarification. I only found [1] that promise TLS-Support when build with a "Mozilla SDK" I also checked I used ldaps:/// (with three /). LDAPTLS_CACERT was also set, as Michael suggested.
ldaps:/// wouldn't be valid by itself, unless you were connecting to the localhost.
I.e., ldaps://my.domain.com:636/ would be valid (or just ldaps://my.domain.com/ if listening on 636 by default).
The documentation hasn't been touched in years. I don't think it even supports compiling against the abandoned mozilla SDK At this point. It will support whatever support libldap has been compiled with.
The primary reason to use Net::LDAPapi is if speed is a concern, as it is significantly faster than Net::LDAP. If it isn't of a concern, then Net::LDAP is fine.
Generally I consider Net::LDAPapi abandonware.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
A. Schulze -
Michael Ströder -
Quanah Gibson-Mount