Apache Directory Studio and Client Certificate Authentication

Apache Directory Studio is a very nice LDAP tool that works great with OpenLDAP. Unfortunately it lacks a critical feature: support for X.509 Client Certificate Authentication. There is a feature request from 2011 but it has not even been assigned yet.

Does this mean that you can not use Apache Directory Studio with a Directory server that enforces TLS/SSLv3 & Client Certificate Authentication? Nope but luckily there is a solution called socat.

With socat you can forward a local port via SSH to a socket on the remote server on which your LDAP server is listening. Make sure that you have a working SSH connection to your LDAP server using public key authentication and that your LDAP server is configured to (also) listen on a socket. You also need to install socat on both the client and on the LDAP server. A simple yum install socat should do it.

The command to run as a regular user is:

Explanation:
socat listens on TCP port 10389 on 127.0.0.1. When it receives a connection on TCP port 10389 on IP address 127.0.0.1 it sets up an SSH link to ‘ldap-server’ as ‘user’ using public key authentication and forwards the incoming connection on the client to the socket at /var/run/ldapi which is the socket location configured on your LDAP server.

To make sure that the socat relay is available when you use Apache Directory Studio you can create a simple script to start socat first and then start Apache Directory Studio:

Don’t forget to change the ssh user & ldap-server and the location of the Apache Directory Studio binary.

Now you should be able to use Apache Directory Studio to access your LDAP server via a secure SSH link. As usual do take a few security precautions:

1) do *not* save the Bind password in Apache Directory Studio
2) only make socat listen on 127.0.0.1 so the link can not be accessed by other hosts on the network or even from the Internet
3) if you want to allow other hosts on the network to use the socat relay then make sure you also use the ‘range‘ option to limit access

Leave a Reply

Your email address will not be published. Required fields are marked *