This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Perl LDAPS and Certificates
Perl LDAPS and Certificates

Version management

Difference between version and

At line 1 added 50 lines
!! Perl LDAPS and Certificate
By default, when building a Net::LDAPS connection object, the [SSL] session will be constructed __without verification__ of the [certificate] used to [encrypt|Encryption] the session.
For a truly secure session, this attribute should be set:
{{{verify => 'require'}}}
This requires some additional setup. Every LDAP server has a certificate signed by the Organizational CA of the eDirectory tree (e.g. B1LDAP-QA) that it is part of. eDirectory provides tools to export [X.509] certificates in .der and .b64 encoded formats. Perl's Net::LDAPS needs certificates that are [PEM] encoded.
[OpenSSL] provides a conversion ability as shown in this [Example]:
{{{
openssl x509 -in CA.der -inform der -out CA.pem -outform PEM
}}}
These excerpts (from [here|http://svn.mutatus.co.uk/wsvn/perl-ldap/tags/perl-ldap-0.3202/lib/Net/LDAP.pod?op=file&rev=0&sc=0] and [here|http://lists.fifi.org/cgi-bin/man2html/usr/share/man/man3/Net::LDAPS.3pm.gz]) describe how to use these certificates:
{{{capath => '/path/to/servercerts/'}}}
{{{cafile => '/path/to/servercert.pem'}}}
{{{
When verifying the server's certificate, either set capath to the
pathname of the directory containing CA certificates, or set cafile to
the filename containing the certificate of the CA who signed the
server's certificate. These certificates must all be in PEM format.
The directory in 'capath' must contain certificates named using the
hash value of the certificates' subject names. To generate these
names, use OpenSSL like this in Unix:
ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0
(assuming that the certificate of the CA is in cacert.pem.)
}}}
To create [PEM] encoded [certificates] from a directory full of [.der|DER] files, here is a script [Example code] to help accomplish the task:
{{{
#!/bin/bash
#:der2pem.sh
for file in `ls *.der`; do
echo "Processing $file..."
export PEMfile="`basename $file .der`.pem"
openssl x509 -in $file -inform der -out $PEMfile -outform PEM
ln -s $PEMfile `openssl x509 -hash -noout < $PEMfile`.0
done
}}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop