Perl LDAPS and Certificate#By default, when building a Net::LDAPS connection object, the SSL session will be constructed without verification of the certificate used to encrypt the session.
For a truly secure session, this attribute should be set:
verify => 'require'
This requires some additional setup. Every LDAP server has a certificate signed by the Organizational CA of the eDirectory tree (e.g. B1LDAP-QA) that it is part of. eDirectory provides tools to export X.509 certificates in .der and .b64 encoded formats. Perl's Net::LDAPS needs certificates that are PEM encoded.
openssl x509 -in CA.der -inform der -out CA.pem -outform PEM
capath => '/path/to/servercerts/'
cafile => '/path/to/servercert.pem'
When verifying the server's certificate, either set capath to the pathname of the directory containing CA certificates, or set cafile to the filename containing the certificate of the CA who signed the server's certificate. These certificates must all be in PEM format. The directory in 'capath' must contain certificates named using the hash value of the certificates' subject names. To generate these names, use OpenSSL like this in Unix: ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0 (assuming that the certificate of the CA is in cacert.pem.)
#!/bin/bash #:der2pem.sh for file in `ls *.der`; do echo "Processing $file..." export PEMfile="`basename $file .der`.pem" openssl x509 -in $file -inform der -out $PEMfile -outform PEM ln -s $PEMfile `openssl x509 -hash -noout < $PEMfile`.0 done