[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS, integrity and root DSE

--On Wednesday, July 24, 2013 4:08 PM +0200 Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> wrote:


When trying to require integrity for LDAP connections by specifying
"ssf=1" in Security, I have a problem with Perl where the cat bites its

It's recommended to query the root DSE for TLS extension before trying to
use TLS like this:

my $dse = $ldap->root_dse();

if ($dse->supported_extension(LDAP_EXTENSION_START_TLS)) {
        my $msg = $ldap->start_tls('verify' => 'require',
                                   'capath' => '/etc/ssl/certs');

Personally, I just always try to startTLS regardless. Then you can decide whether or not you wish to continue after that point based on whether or not it succeeds or fails.



Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration