ssl support for ldap backends - dev - OTRS mailing lists

newer
cu on #otrs freenode.net?

ssl support for ldap backends

older
Extra unsuspected "0xa" (LF?)...

Stephan Lauffer

17 Mar 2004 17 Mar '04

7:12 a.m.

hi! are there some plans to add ssl support for ldap (f.e. with Net::LDAPS)? latest Kernel/System/CustomerUser/LDAP.pm doens't looks like "ssl ready" -- Liebe Gruesse, with best regards Stephan Lauffer [ Pedagogical University Freiburg - Germany ] [ http://www.ph-freiburg.de/zik/ ] [ Fon/ Fax: +49 761 682 -459/ -486 ]

Reply

Sign in to reply online Use email software

Show replies by date

Robert Kehl

17 Mar 17 Mar

11:28 a.m.

On Wednesday, March 17, 2004 8:12 AM Stephan Lauffer wrote:

are there some plans to add ssl support for ldap (f.e. with Net::LDAPS)?

We are SSL-ready when it comes to LDAP, as LDAP.pm hands over any setting you make to Net::LDAP. The latter is SSL-aware already, no real need for Net::LDAPS, which I believe is merely a wrapper to Net::LDAP. As a precaution, make sure that IO::Socket::SSL _and_ its dependency Net::SSLeay are installed. Yes, OpenSSL isn't enough in this case - no way around. Get both from CPAN at last: http://search.cpan.org/~behroozi/IO-Socket-SSL-0.95/ http://search.cpan.org/~sampo/Net_SSLeay.pm-1.25/ So prepared, try out these settings - it worked like a charm for me against an OpenLDAP server just by using ldaps:// in the Host definition, nothing more was required. If you don't succeed, play a bit with the commented options. $Self->{CustomerUser} = { # ...more settings here... Host => 'ldaps://ldap.example.com', Params => { # ...more settings here... version => 3, # ldaps only work with LDAPv3 # sslversion => 'sslv2/3', # defaults to: 'tlsv1' # verify => 'require', # clientcert => '/path/to/cert.pem', # clientkey => '/path/to/key.pem', # keydecrypt => sub { 'secret'; }, # capath => '/path/to/servercerts/', }, # ...more settings here... }; A comprehensive description of all possible settings are maintained here: http://search.cpan.org/~gbarr/perl-ldap-0.31/lib/Net/LDAP.pod#start_tls For sure, you may use this not only for the CustomerUser data, but for all your ldap connections. hth, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388

Reply

Sign in to reply online Use email software

Stephan Lauffer

22 Mar 22 Mar

11:47 a.m.

hi! thx - i hoped that i only need to take care of LDAP.pm. I just wasn't sure. On Wed, Mar 17, 2004 at 12:28:04PM +0100, Robert Kehl wrote:

From: "Robert Kehl" To: "Development community of OTRS" Date: Wed, 17 Mar 2004 12:28:04 +0100 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 Subject: Re: [dev] ssl support for ldap backends

On Wednesday, March 17, 2004 8:12 AM Stephan Lauffer wrote:

...
are there some plans to add ssl support for ldap (f.e. with Net::LDAPS)?

We are SSL-ready when it comes to LDAP, as LDAP.pm hands over any setting you make to Net::LDAP. The latter is SSL-aware already, no real need for Net::LDAPS, which I believe is merely a wrapper to Net::LDAP.

As a precaution, make sure that IO::Socket::SSL _and_ its dependency Net::SSLeay are installed. Yes, OpenSSL isn't enough in this case - no way around. Get both from CPAN at last: http://search.cpan.org/~behroozi/IO-Socket-SSL-0.95/ http://search.cpan.org/~sampo/Net_SSLeay.pm-1.25/

So prepared, try out these settings - it worked like a charm for me against an OpenLDAP server just by using ldaps:// in the Host definition, nothing more was required. If you don't succeed, play a bit with the commented options.

$Self->{CustomerUser} = { # ...more settings here... Host => 'ldaps://ldap.example.com', Params => { # ...more settings here... version => 3, # ldaps only work with LDAPv3 # sslversion => 'sslv2/3', # defaults to: 'tlsv1' # verify => 'require',

# clientcert => '/path/to/cert.pem', # clientkey => '/path/to/key.pem', # keydecrypt => sub { 'secret'; }, # capath => '/path/to/servercerts/',

}, # ...more settings here... };

A comprehensive description of all possible settings are maintained here: http://search.cpan.org/~gbarr/perl-ldap-0.31/lib/Net/LDAP.pod#start_tls

For sure, you may use this not only for the CustomerUser data, but for all your ldap connections.

hth,

Robert Kehl

-- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388

_______________________________________________ OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev

-- Liebe Gruesse, with best regards Stephan Lauffer [ Pedagogical University Freiburg - Germany ] [ http://www.ph-freiburg.de/zik/ ] [ Fon/ Fax: +49 761 682 -459/ -486 ]

Reply

Sign in to reply online Use email software

Robert Kehl

noon

On Monday, March 22, 2004 12:47 PM Stephan Lauffer wrote:

thx - i hoped that i only need to take care of LDAP.pm. I just wasn't sure.

Please note additionally, that it might be we have a bug in it. When you prepared your system for using ldaps://, have a look in your logs if you find something similar to this: "(in cleanup) Can't call method "CLOSE" on an undefined value at /usr/lib/perl5/site_perl/5.8.0/Net/LDAP.pm line 808 during global destruction." If so, I would like you to file a bug report on http://bugs.otrs.org/, as we then have to overlook the code. Regards, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388

Reply

Sign in to reply online Use email software

7818

Age (days ago)

7823

Last active (days ago)

Download

3 comments

2 participants

tags

participants (2)

Robert Kehl
Stephan Lauffer