Apache Directory Studio and Client Certificate Authentication

Apache Directory Studio is a very nice LDAP tool that works great with OpenLDAP. Unfortunately it lacks a critical feature: support for X.509 Client Certificate Authentication. There is a feature request from 2011 but it has not even been assigned yet.

Does this mean that you can not use Apache Directory Studio with a Directory server that enforces TLS/SSLv3 & Client Certificate Authentication? Nope but luckily there is a solution called socat.

With socat you can forward a local port via SSH to a socket on the remote server on which your LDAP server is listening. Make sure that you have a working SSH connection to your LDAP server using public key authentication and that your LDAP server is configured to (also) listen on a socket. You also need to install socat on both the client and on the LDAP server. A simple yum install socat should do it.

The command to run as a regular user is:

socat listens on TCP port 10389 on When it receives a connection on TCP port 10389 on IP address it sets up an SSH link to ‘ldap-server’ as ‘user’ using public key authentication and forwards the incoming connection on the client to the socket at /var/run/ldapi which is the socket location configured on your LDAP server.

To make sure that the socat relay is available when you use Apache Directory Studio you can create a simple script to start socat first and then start Apache Directory Studio:

Don’t forget to change the ssh user & ldap-server and the location of the Apache Directory Studio binary.

Now you should be able to use Apache Directory Studio to access your LDAP server via a secure SSH link. As usual do take a few security precautions:

1) do *not* save the Bind password in Apache Directory Studio
2) only make socat listen on so the link can not be accessed by other hosts on the network or even from the Internet
3) if you want to allow other hosts on the network to use the socat relay then make sure you also use the ‘range‘ option to limit access

Piwik, nginx and self-signed certificates

To keep track of some website statistics I use Piwik, an excellent free web analytics tool that provides you with detailed reports on your website’s visitors, your marketing campaigns and much more.

Obviously I want to make sure that information is secure and shielded from unauthorized access. After too many Certificate Authorities recently dropped the ball (TurkTrust and Diginotar but Google for more) it makes more sense to use self-signed certificates and client certificate authentication.

Unfortunately Piwik does not support client certificate authentication in its tracker code so how can self-signed certificates and client certificate authentication still be used?

They can not… sorta.

Nginx to the rescue. The fast growing webserver ( actually an HTTP and reverse proxy server, as well as a mail proxy server) is tremendously flexible and granular and allows you to provide limited non-SSL access to piwik.js and piwik.php while the actual webinterface behind index.php is only available on an SSL link with client certificate authentication. While I would prefer to see support for SSL with self-signed certificates & client certificate authentication in Piwik’s tracker code, this should do for now.

Example configuration:

I’ll leave the SSL enabled full Piwik configuration as an exercise to the reader. Piwik on nginx is well documented as is the SSL part.

If you know a way to make Piwik’s tracker code work with SSL with self-signed certificates & client certificate authentication then please leave a comment.