machines:
- debian wheezy
- suse 11
commands:
ldapsearch -ZZ -h ad.unsw.edu.au -xperl -we "use Net::LDAP; print Net::LDAP->new ('ad.unsw.edu.au')->start_tls(verify => 'require', capath => '/etc/ssl/certs/')->{errorMessage}"
results:
- machine 1, command 1: TLS: hostname does not match CN in peer certificate
- machine 1, command 2: works
- machine 2, command 1: works
- machine 2, command 2: Cannot determine peer hostname for verification
i can't explain the inconsistency and i really want command 2 to work on machine 2. any ideas?
after an strace, it looks like debian-ldapsearch is looking at /etc/ssl/certs/ca-certificates.crt and suse-ldapsearch is looking at NOTHING. debian-Net::LDAP is looking at /etc/ssl/certs/157753a5.? (AddTrust_External_Root.pem) and suse-Net::LDAP is looking at NOTHING.
You should check that the remote SSL certificate has "CN" part of the subject same as the hostname of the LDAPS server in your commands (ad.unsw.edu.au).
To see the remote certificate use:
Full details:
Check that the issuer's root certificate is imported and trusted in the ldap (see OpenLDAP SSL documentation) and perl SSL keystore (see IO::Socket::SSL). If it is a selfsign certificate, then that certificate should be added to the trusted SSL keychain.
Net::LDAP::start_tls() is broken in perl-ldap-0.43. Your command-line should work fine if you upgrade to 0.44 or later. This is documented in the Changes file:
http://cpansearch.perl.org/src/MARSCHAP/perl-ldap-0.44/Changes
line 233 of
Net/LDAP.pminNet::LDAP0.43 saysdebian wheezy is using 0.40, but upgrading to 0.43 from unstable breaks it as well.
https://rt.cpan.org/Public/Bug/Display.html?id=70795