[Catalyst] C:P:A:Store::LDAP start_tls problems

Gavin Henry ghenry at perl.me.uk
Mon Mar 27 12:04:39 CEST 2006 

<quote who="Scott Karns">
> Has anyone successfully used C:P:A:Store::LDAP with a
> cafile, clientcert, and clientkey specified and
> running on apache2/mod_perl? I get the following error
> when I attempt to authenticate with these ldap tls
> options set:
>
> TLS Error: Operations error at
> /usr/lib/perl5/vendor_perl/5.8.7/Catalyst/Plugin/Authentication.pm
> line 126
>
> Even with the verify option set to none, if these
> start_tls_options are specified in the
> authentication->ldap section of my config, I get "TLS
> Error: Operations error...".
>
> Relevant section of my config.yml:
>
> authentication:
> #
> # Config for Authentication::Store::LDAP
> #
>   ldap:
>     ldap_server: ldap.myserver.tld
>     ldap_server_options:
>       timeout:   30
>     binddn:      anonymous
>     bindpw:      ''
>     start_tls:   1
>     start_tls_options:
>       verify:    none
>       cafile:    /etc/ssl/My-cachain.pem
>       clientcert: /etc/ssl/ldap/myserver-cert.pem
>       clientkey: /etc/ssl/ldap/myserver-key.pem

These settings are wrong.

You only need to set the CACert to connect. The client certs are for
connecting to the server with different client certs that have been signed
by your CA, not the servers certs.

Think of it as normal HTTPS, you don't have a client cert set in Firefox
to go to a HTTPS url ;-)

See our guide in the Samba Book at:

http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ch-ldap-tls.html#s1-test-ldap-tls

So in summary, put the CAcert in your LDAP client ldap.conf, test on the
commandline with below, replacing you baseDN:

root#  ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \
        -H 'ldap://ldap.abmas.biz:389' -ZZ


And post the results ;-)

Sorry if you already have done and know all this already ;-)

Thanks,

Gavin.


>
> Ultimately I'm trying to track the source of these
> errors:
>
> Deep recursion on subroutine
> "IO::Socket::SSL::SSL_HANDLE::FILENO" at
>         /usr/lib/perl5/5.8.7/i386-linux/IO/Handle.pm
> line 383, <DATA> line 283 (#1)
>     (W recursion) This subroutine has called itself
> (directly or indirectly)
>     100 times more than it has returned.  This
> probably indicates an
>     infinite recursion, unless you're writing strange
> benchmark programs, in
>     which case it indicates something else.
>
> Deep recursion on subroutine "IO::Socket::SSL::fileno"
> at
>
> /usr/lib/perl5/vendor_perl/5.8.7/IO/Socket/SSL.pm line
> 550, <DATA> line 283 (#1)
> Deep recursion on subroutine "IO::Handle::fileno" at
>
> /usr/lib/perl5/vendor_perl/5.8.7/IO/Socket/SSL.pm line
> 334, <DATA> line 283 (#1)
>
> I've isolated occurances of the above errors to having
> start_tls set to 1 in config->{authentication}->{ldap}
> The error does not occur with every auth attempt, only
> occasionally.

This will be because you are trying to connect and setup the encryption
with the same certs, i.e. connect with the server certs as the clients
certs, so they are going round and round trying to setup the TLS session.

>
> With everything else untouched and start_tls set to 0,
> I cannot reproduce the deep recursion error.
>
>
> Thanks in advance for any help or insights you might
> provide,
> -Scott
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Catalyst mailing list
> Catalyst at lists.rawmode.org
> http://lists.rawmode.org/mailman/listinfo/catalyst
>

More information about the Catalyst mailing list