Setting up Perl to Access LDAPS#
Perl on Win32#You can install Net::LDAP using PPM.
set HTTP_proxy=http://httpoh2.[Directory-Info.com].net:8080 set FTP_proxy=http://httpoh2.[Directory-Info.com].net:8080 ppm ppm> install perl-ldapSome required modules to make LDAPS function are not available via PPM. So that means the missing binaries for Win32 must be compiled.
Compiling isn't too hard if you have the C compiler and all of the needed header files... but it can be a bit daunting if you don't have access to all of the right tools.
The binaries were recently compiled on a Windows XP workstation with "OpenSSL 0.9.7g 11 Apr 2005" source; the results may be transferrable to other W32 machines with some care.
- Extract the contents of sitelibLDAPS.tar.gz to a temp directory. Then copy the contents to your Perl\site\lib directory. To do this without back-dating any files that you just installed through PPM:xcopy /sdy yourtempdir C:\Perl\site\lib
- Copy the files ssleay32.dll and libeay32.dll to a directory in your system path (e.g. C:\WINNT\system32).
Perl on Linux#Install these RPM's:
Start a CPAN shell:
perl -MCPAN -e shell
Follow the prompts. When CPAN is configured and able to retrieve modules, run these commands:
force install Digest::MD5
This will likely fail (version 2.33). But it seems to install the .pm file, and that is all we really need.
Follow the prompts. If it completes without errors, then you are done. If it doesn't finish, you'll need to figure out what is missing, exit the shell, and try again.
By default, when building a Net::LDAPS connection object, the SSL session will be constructed without verification of the certificate used to encrypt the session.
For a truly secure session, this attribute should be set:
verify => 'require'
This requires some additional setup. Every LDAP server has a certificate signed by the Organizational CA of the eDirectory tree (e.g. B1LDAP-QA) that it is part of. eDirectory provides tools to export X.509 certificates in .der and .b64 encoded formats. Perl's Net::LDAPS needs certificates that are PEM encoded. OpenSSL provides a conversion tool:
openssl x509 -in CA.der -inform der -out CA.pem -outform PEM
capath => '/path/to/servercerts/'
cafile => '/path/to/servercert.pem'
When verifying the server's certificate, either set capath to the pathname of the directory containing CA certificates, or set cafile to the filename containing the certificate of the CA who signed the server's certificate. These certificates must all be in PEM format. The directory in 'capath' must contain certificates named using the hash value of the certificates' subject names. To generate these names, use OpenSSL like this in Unix: ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0 (assuming that the certificate of the CA is in cacert.pem.)
To create PEM encoded certificates from a directory full of .der files, here is a script to help accomplish the task:
#!/bin/bash #:der2pem.sh for file in `ls *.der`; do echo "Processing $file..." export PEMfile="`basename $file .der`.pem" openssl x509 -in $file -inform der -out $PEMfile -outform PEM ln -s $PEMfile `openssl x509 -hash -noout < $PEMfile`.0 done