Setup Perl Net LDAPS

Setting up Perl to Access LDAPS#

Module documentation at CPAN

Perl on Win32#

You can install Net::LDAP using PPM.
set HTTP_proxy=http://httpoh2.[Directory-Info.com].net:8080
set FTP_proxy=http://httpoh2.[Directory-Info.com].net:8080
ppm> install perl-ldap
Some required modules to make LDAPS function are not available via PPM. So that means the missing binaries for Win32 must be compiled.

Compiling isn't too hard if you have the C compiler and all of the needed header files... but it can be a bit daunting if you don't have access to all of the right tools.

The binaries were recently compiled on a Windows XP workstation with "OpenSSL 0.9.7g 11 Apr 2005" source; the results may be transferrable to other W32 machines with some care.

  1. Extract the contents of sitelibLDAPS.tar.gz(info) to a temp directory. Then copy the contents to your Perl\site\lib directory. To do this without back-dating any files that you just installed through PPM:xcopy /sdy yourtempdir C:\Perl\site\lib
  2. Copy the files ssleay32.dll(info) and libeay32.dll(info) to a directory in your system path (e.g. C:\WINNT\system32).

Perl on Linux#

Install these RPM's:
  • gcc
  • make
  • perl-CPAN
  • perl-Crypt-SSLeay
  • openssl-perl
  • openssl-devel

Start a CPAN shell:

perl -MCPAN -e shell

Follow the prompts. When CPAN is configured and able to retrieve modules, run these commands:

force install Digest::MD5

This will likely fail (version 2.33). But it seems to install the .pm file, and that is all we really need.

install Net::LDAPS

Follow the prompts. If it completes without errors, then you are done. If it doesn't finish, you'll need to figure out what is missing, exit the shell, and try again.

Perl LDAPS and Certificates#

By default, when building a Net::LDAPS connection object, the SSL session will be constructed without verification of the certificate used to encrypt the session.

For a truly secure session, this attribute should be set:

verify => 'require'

This requires some additional setup. Every LDAP server has a certificate signed by the Organizational CA of the eDirectory tree (e.g. B1LDAP-QA) that it is part of. eDirectory provides tools to export X.509 certificates in .der and .b64 encoded formats. Perl's Net::LDAPS needs certificates that are PEM encoded. OpenSSL provides a conversion tool:

openssl x509 -in CA.der -inform der -out CA.pem -outform PEM

These excerpts (from here and here) describe how to use these certificates:

capath => '/path/to/servercerts/'
cafile => '/path/to/servercert.pem'
When verifying the server's certificate, either set capath to the
pathname of the directory containing CA certificates, or set cafile to
the filename containing the certificate of the CA who signed the
server's certificate. These certificates must all be in PEM format.

The directory in 'capath' must contain certificates named using the
hash value of the certificates' subject names. To generate these
names, use OpenSSL like this in Unix:

    ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0

(assuming that the certificate of the CA is in cacert.pem.)

To create PEM encoded certificates from a directory full of .der files, here is a script to help accomplish the task:

for file in `ls *.der`; do
  echo "Processing $file..."
  export PEMfile="`basename $file .der`.pem"
  openssl x509 -in $file -inform der -out $PEMfile -outform PEM
  ln -s $PEMfile `openssl x509 -hash -noout < $PEMfile`.0


More Information#

There might be more information for this subject on one of the following: