From brendon.oliver at gmail.com Sun Sep 25 16:42:18 2016 From: brendon.oliver at gmail.com (Brendon Oliver) Date: Mon, 26 Sep 2016 09:42:18 +1000 Subject: [Melbourne-pm] Net::LDAPS usage Message-ID: Greetings all, I'm working on a rather old mod-perl (yes, apache 1.3) application which has a substantial dependency on a directory server elsewhere on the network, so uses Net::LDAP for all connections & directory searches. Most connections use anonymous binds on-demand when performing a lookup against the directory. Anyway, the existing directory server is being retired and it's replacement requires secure, authenticated connections meaning a switch to using Net::LDAPS to enable the secure connection. Problem is, I'm a little concerned about the following comment in the BUGS section of the Net::LDAPS pod: You cannot have more than one LDAPS connection at any one time, due to restrictions in the underlying Net::SSLeay code. Can anyone shed any light on what this restriction might be that's imposed by Net::SSLeay? I've been digging around but don't really understand what that module's doing. Due to the large number of on-demand connections made from the mod-perl application to the directory server, I've wrapped the Net::LDAPS object inside a Class::Singleton, which appears to work ok in testing but I'm wondering if I'm missing something that might present a problem later. I'm hoping that a singleton object within each mod-perl process will be sufficient to work around the Net::LDAPS issue. In case it matters: the mod-perl application treats the directory service as a read-only medium (only searches, no updates). Thoughts anyone? Cheers, - Brendon. -------------- next part -------------- An HTML attachment was scrubbed... URL: From toby.corkindale at strategicdata.com.au Sun Sep 25 18:32:35 2016 From: toby.corkindale at strategicdata.com.au (Toby Corkindale) Date: Mon, 26 Sep 2016 11:32:35 +1000 Subject: [Melbourne-pm] Net::LDAPS usage In-Reply-To: References: Message-ID: <3370483.V8K7eLrXJq@adonai> On Monday, 26 September 2016 9:42:18 AM AEST Brendon Oliver wrote: > Anyway, the existing directory server is being retired and it's replacement > requires secure, authenticated connections meaning a switch to using > Net::LDAPS to enable the secure connection. Problem is, I'm a little > concerned about the following comment in the BUGS section of the Net::LDAPS > pod: > > You cannot have more than one LDAPS connection at any one time, due to > restrictions in the underlying Net::SSLeay code. > I'm sure you can have multiple connections between a client and the server, as long as every connection is on a separate process (which is highly likely to be the case in your application). If you are using the "threaded" version of mod_perl, I would be very worried right now. But if you're on a forking version, you'll be ok. (And I very much doubt you're on the threaded one.. it was never seriously usable, although probably due to Perl threading issues rather than its own)