Currently I'm working on setting up a spam processing custer of computers.

All was going well untill I get to the point to test the content filter (amavis-new).
The user prefs for everyone's spam settings are stored in our openldap server.

When I give the filter the rcpt to line and it tried to do a look up, crash! the child process died a horrible death.

I get to looking around and a simple Perl Net::Ldap script dies on TLS authentication.

what I found out that there is appently a bug in openldap and to get perl to work with it, you will need to speicify the cipher to use explicitly.

Use this to find out the cipher being used by the server:

use IO::Socket::SSL;
my $ssl = new IO::Socket::SSL("ldapserver.intenet.com:636");
print "SSL Cipher: " . $ssl->get_cipher() . "\n";

my cipher was AES256-SHA


then place that in the start_tls() method call in a Net::LDAP script:
Also dont forget to requite verify and explicity point out the server cert, just to be safe.

use Net::LDAP;
$ldap = Net::LDAP->new( "ldapserver.internet.com ) or die "$@";
#$mesg = $ldap->start_tls( verify => 'none', );

$mesg=$ldap->start_tls(verify => 'require', cafile => '/etc/pki/tls/certs/tccCA.pem', ciphers=> 'AES256-SHA');
$mesg->code && die $mesg->error;

$mesg = $ldap->bind;
$mesg->code && die $mesg->error;
$mesg = $ldap->search ( base   => "ou=accounts,dc=tcc,dc=nmt,dc=edu", filter =>
"(uid=khan)");
$mesg->code && die $mesg->error;
foreach $entry ($mesg->entries) { $entry->dump; }
$mesg = $ldap->unbind;

This had me running around for over an hour. Stupid Perl, Stupid Ldap.