Hi Quanah,
On Fri May 18 16:55:07 2012, MISHIKAL wrote:
Show quoted text> It is perfectly reasonable to execute a startTLS over an LDAPI
> connection. You can test this quite easily with ldapsearch:
>
> zimbra@zre-ldap002:~$ ldapsearch -LLL -x -H ldapi:/// -ZZ -s base -b ""
> dn:
> objectClass: top
> objectClass: OpenLDAProotDSE
>
>
> However, if you use Net::LDAP(I) and try to execute startTLS over an
> ldapi connection, it fails with:
>
> TLS: SSL connect attempt failed with unknown errorerror:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
sorry for not coming back to this issue earlier.
This does not mean that I've been idle w.r.t. this issue.
I had a long discussion with the IO::Socket::SSL maintainer in
the bug
https://rt.cpan.org/Ticket/Display.html?id=77691
There is a solution to this issue, but not the one that you expect:
the paramter 'sslserver' of Net::LDAP->start_tls()
If you set this parameter correctly, then the certificate verification works,
and start_tls works on ldapi:// connections.
Without the 'sslserver' parameter, Net::LDAP has no way of knowing which
server name to use for the certificate verification.
If you don't mind, I will close this bug as resolved.
Best
PETer
