[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS, integrity and root DSE


When trying to require integrity for LDAP connections by specifying "ssf=1" in Security, I have a problem with Perl where the cat bites its tail:

It's recommended to query the root DSE for TLS extension before trying to use TLS like this:

my $dse = $ldap->root_dse();

if ($dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
        my $msg = $ldap->start_tls('verify' => 'require',
                                   'capath' => '/etc/ssl/certs');

Unfortunately the root_dse() fails with the security restriction: "confidentiality required"

Note: The manual says: "0  (zero)  implies  no  protection,  1  implies integrity  protection only"

So is "confidentiality" actually "integrity" here, and are here any solutions to this problem?

Ulrich Windl