5

I want to search a user using ldapsearch, but the hosting provider gave me a certificate from the CA. I added that certificate in my ldapconf.

Before executing the ldapsearch command I am running openssl as follows

openssl s_client -connect hostname -CAfile /certificate.pem

After connecting via openssl, I execute the following command in another terminal

ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net

Now I want to know, is there any way to use the certificate while executing the ldapsearch command?

Improve this question

1 Answer 1

Reset to default
21

This should be doable by performing:

env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net

although, I'd use:

env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D [email protected], dc=global,dc=example,dc=net

to ensure that it tries with ldaps, rather than heuristics.

If you're getting errors still, you can add -ZZ which will give better error messages.

An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:

subject=/C=IE/CN=hostname.domain.local

you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)

A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks @Petesh. But When I tried this command getting error as ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
First, make sure that the file is being read - use strace to verify that the file is being opened. You can also try with the -ZZ option which should give better debugging information. A typical error would be something like TLS: hostname does not match CN in peer certificate (i.e. you're not using the same hostname as supplied in the cert). You can check the CN using openssl s_client -connect hostname:portno - check for the line reading subject= for the CN=, and you have to use that as the hostname.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.