Menu
▾
▴
Re: Question regarding Digital Certificates in LDAP
|
From: Mark W. <mew...@un...> - 2000-07-17 12:52:35
|
To store certificate in an entry is simple. You simply slurp its into a scalar (e.g. $certificate) as a binary and store in the usercertificate;binary (there is an optional text representation under LDAP v2, but I don't know it and everybody is now building their products for binary). The certificate can either be encoded as DER (Distinguished Encoding Rules) or PEM (Privacy Enhanced Mail), which essentially is BASE64 encoded DER (though don't just Base64 DER and expect everything to work ;), read up on it first through the openSSL mail archives). To work with certificates it's best to use openssl. There is a set of modules called openCA that make it easier to work with openssl. These modules aren't tied to the C API, but rather the openssl command line tool. I just stumbled upon them last week, I hope to play with them more when I get back. As for Apache, Apache can't automatically store certificates, that's the work of an LDAP application. You could write your application in mod_perl instead of traditional CGI. If you want to use certificates for authentication, check out mod_ssl. If you need to parse information from certificates after authentication in mod_perl, check out chapter 6 in the mod_perl book at www.modperl.com. Mark Rui Monteiro wrote: > Hello. > Sorry for introducing some noise in this but, anyone knows if there is > a perl/ldap module that allows Apache to store Digital Certificates in > LDAP ( Netscape Directory Services ) > > Thanks in advance > > Chris Ridd wrote: > >> On Thu, 13 Jul 2000 13:44:35 CDT, Mark Wilcox wrote: >> > What you'll need to do is look into the openSSL stuff to parse >> this out >> > for you. >> > >> > When you say you use Netscape, what do you >> > mean? Communicator? PerLDAP? the command line tools? >> > >> > Mark >> >> Well, you could also try using Convert::ASN1 to pick apart the >> certificate. If you can get the certificate (the binary value >> itself, >> not a Base-64 encoding of it or anything) into $val, then the >> following >> should print out something. >> >> use Convert::ASN1; >> use Convert::ASN1::Debug; >> >> Convert::ASN1::asn_dump(&STDOUT, $val); >> >> To get more selective info from the cert you need to get >> Convert::ASN1 >> to decode the value instead of just dumping it. To get that to >> happen >> you need the ASN.1 definition of certificates - the canonical >> definition is in a standard called X.509, but there are copies of >> the >> definition in some RFCs - RFC 2459 being the first one I could find. >> >> Cheers, >> >> Chris > > -- > Rui Monteiro WhatEverNet Computing, SA > rmo...@wh... Praca de Alvalade, 6 - Piso 6 > Phone: +351 21 7994200 1700 036 Lisboa - Portugal > Fax: +351 21 7994242 http://www.whatevernet.pt > > |
