Menu
▾
▴
perl-ldap-dev
|
From: Chris R. <Chr...@me...> - 2000-07-17 08:53:18
|
On Thu, 13 Jul 2000 13:44:35 CDT, Mark Wilcox wrote: > What you'll need to do is look into the openSSL stuff to parse this out > for you. > > When you say you use Netscape, what do you > mean? Communicator? PerLDAP? the command line tools? > > Mark Well, you could also try using Convert::ASN1 to pick apart the certificate. If you can get the certificate (the binary value itself, not a Base-64 encoding of it or anything) into $val, then the following should print out something. use Convert::ASN1; use Convert::ASN1::Debug; Convert::ASN1::asn_dump(&STDOUT, $val); To get more selective info from the cert you need to get Convert::ASN1 to decode the value instead of just dumping it. To get that to happen you need the ASN.1 definition of certificates - the canonical definition is in a standard called X.509, but there are copies of the definition in some RFCs - RFC 2459 being the first one I could find. Cheers, Chris |
|
From: Chris R. <Chr...@me...> - 2000-07-17 13:22:18
|
On Mon, 17 Jul 2000 07:53:11 CDT, Mark Wilcox wrote: > To store certificate in an entry is simple. You simply slurp its into a > scalar (e.g. $certificate) as a binary and store in the > usercertificate;binary (there is an optional text representation under > LDAP v2, but I don't know it and everybody is now building their > products for binary). The LDAPv2 string representation was not optional, but it was so broken that nobody ever used it. You can basically assume that for an LDAPv2 server the value of the userCertificate attribute was the BER encoding of the certificate. (In LDAPv3 the value of the "userCertificate;binary" attribute is the BER encoding of the certificate.) > The certificate can either be encoded as DER (Distinguished Encoding > Rules) or PEM (Privacy Enhanced Mail), which essentially is BASE64 > encoded DER (though don't just Base64 DER and expect everything to work > ;), read up on it first through the openSSL mail archives). The directory *requires* the certificate to be the BER value - anything else is incorrect and will only work on broken LDAP servers. (Note I keep writing BER instead of DER :-) Cheers, Chris |
|
From: Mark W. <mew...@un...> - 2000-07-22 23:48:12
|
Yet another item for our mythical FAQ :) Mark Chris Ridd wrote: > On Mon, 17 Jul 2000 07:53:11 CDT, Mark Wilcox wrote: > > To store certificate in an entry is simple. You simply slurp its into a > > scalar (e.g. $certificate) as a binary and store in the > > usercertificate;binary (there is an optional text representation under > > LDAP v2, but I don't know it and everybody is now building their > > products for binary). > > The LDAPv2 string representation was not optional, but it was so broken > that nobody ever used it. You can basically assume that for an LDAPv2 > server the value of the userCertificate attribute was the BER encoding > of the certificate. (In LDAPv3 the value of the "userCertificate;binary" > attribute is the BER encoding of the certificate.) > > > The certificate can either be encoded as DER (Distinguished Encoding > > Rules) or PEM (Privacy Enhanced Mail), which essentially is BASE64 > > encoded DER (though don't just Base64 DER and expect everything to work > > ;), read up on it first through the openSSL mail archives). > > The directory *requires* the certificate to be the BER value - anything > else is incorrect and will only work on broken LDAP servers. > > (Note I keep writing BER instead of DER :-) > > Cheers, > > Chris |
|
From: Graham B. <gb...@po...> - 2000-07-25 08:28:24
|
On Sat, Jul 22, 2000 at 06:48:58PM -0500, Mark Wilcox wrote: > Yet another item for our mythical FAQ :) Well at the perl conference we got many volunteers to do things, but the FAQ was not one of them. If anyone wants fame and fortune^Wpoverty then please contact me. Graham. |
|
From: Jim H. <ha...@us...> - 2000-07-25 18:22:53
|
Graham, Can you be specific about what is involved with maintaining the FAQ? --Jim Harle On Tue, 25 Jul 2000, Graham Barr wrote: > On Sat, Jul 22, 2000 at 06:48:58PM -0500, Mark Wilcox wrote: > > Yet another item for our mythical FAQ :) > > Well at the perl conference we got many volunteers to do things, but the > FAQ was not one of them. > > If anyone wants fame and fortune^Wpoverty then please contact me. > > Graham. > > > |
|
From: Rui M. <rmo...@wh...> - 2000-07-17 09:15:26
|
Hello. Sorry for introducing some noise in this but, anyone knows if there is a perl/ldap module that allows Apache to store Digital Certificates in LDAP ( Netscape Directory Services ) Thanks in advance Chris Ridd wrote: > On Thu, 13 Jul 2000 13:44:35 CDT, Mark Wilcox wrote: > > What you'll need to do is look into the openSSL stuff to parse this out > > for you. > > > > When you say you use Netscape, what do you > > mean? Communicator? PerLDAP? the command line tools? > > > > Mark > > Well, you could also try using Convert::ASN1 to pick apart the > certificate. If you can get the certificate (the binary value itself, > not a Base-64 encoding of it or anything) into $val, then the following > should print out something. > > use Convert::ASN1; > use Convert::ASN1::Debug; > > Convert::ASN1::asn_dump(&STDOUT, $val); > > To get more selective info from the cert you need to get Convert::ASN1 > to decode the value instead of just dumping it. To get that to happen > you need the ASN.1 definition of certificates - the canonical > definition is in a standard called X.509, but there are copies of the > definition in some RFCs - RFC 2459 being the first one I could find. > > Cheers, > > Chris -- Rui Monteiro WhatEverNet Computing, SA rmo...@wh... Praca de Alvalade, 6 - Piso 6 Phone: +351 21 7994200 1700 036 Lisboa - Portugal Fax: +351 21 7994242 http://www.whatevernet.pt |
|
From: Mark W. <mew...@un...> - 2000-07-17 12:52:35
|
To store certificate in an entry is simple. You simply slurp its into a scalar (e.g. $certificate) as a binary and store in the usercertificate;binary (there is an optional text representation under LDAP v2, but I don't know it and everybody is now building their products for binary). The certificate can either be encoded as DER (Distinguished Encoding Rules) or PEM (Privacy Enhanced Mail), which essentially is BASE64 encoded DER (though don't just Base64 DER and expect everything to work ;), read up on it first through the openSSL mail archives). To work with certificates it's best to use openssl. There is a set of modules called openCA that make it easier to work with openssl. These modules aren't tied to the C API, but rather the openssl command line tool. I just stumbled upon them last week, I hope to play with them more when I get back. As for Apache, Apache can't automatically store certificates, that's the work of an LDAP application. You could write your application in mod_perl instead of traditional CGI. If you want to use certificates for authentication, check out mod_ssl. If you need to parse information from certificates after authentication in mod_perl, check out chapter 6 in the mod_perl book at www.modperl.com. Mark Rui Monteiro wrote: > Hello. > Sorry for introducing some noise in this but, anyone knows if there is > a perl/ldap module that allows Apache to store Digital Certificates in > LDAP ( Netscape Directory Services ) > > Thanks in advance > > Chris Ridd wrote: > >> On Thu, 13 Jul 2000 13:44:35 CDT, Mark Wilcox wrote: >> > What you'll need to do is look into the openSSL stuff to parse >> this out >> > for you. >> > >> > When you say you use Netscape, what do you >> > mean? Communicator? PerLDAP? the command line tools? >> > >> > Mark >> >> Well, you could also try using Convert::ASN1 to pick apart the >> certificate. If you can get the certificate (the binary value >> itself, >> not a Base-64 encoding of it or anything) into $val, then the >> following >> should print out something. >> >> use Convert::ASN1; >> use Convert::ASN1::Debug; >> >> Convert::ASN1::asn_dump(&STDOUT, $val); >> >> To get more selective info from the cert you need to get >> Convert::ASN1 >> to decode the value instead of just dumping it. To get that to >> happen >> you need the ASN.1 definition of certificates - the canonical >> definition is in a standard called X.509, but there are copies of >> the >> definition in some RFCs - RFC 2459 being the first one I could find. >> >> Cheers, >> >> Chris > > -- > Rui Monteiro WhatEverNet Computing, SA > rmo...@wh... Praca de Alvalade, 6 - Piso 6 > Phone: +351 21 7994200 1700 036 Lisboa - Portugal > Fax: +351 21 7994242 http://www.whatevernet.pt > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X