LDAP search user based on certificate in Linux command line

AnNaMaLaI picture AnNaMaLaI · Jan 8, 2015 · Viewed 16.5k times · Source

I want to Search a user using ldapsearch.

But The hosting provider given some certificate (CA). I added that certificate in my ldapconf. So Before executing ldapsearch command I am running openssl as follows

openssl s_client -connect hostname -CAfile /certificate.pem

after connecting via openssl I am executing the following command in a other terminal

ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net 

Now I want to know is there any way to use the certificate while executing ldapsearch command

Answer

Petesh picture Petesh · Jan 8, 2015

This should be doable by performing:

env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net

although, I'd use:

env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D [email protected], dc=global,dc=example,dc=net

to ensure that it tries with ldaps, rather than heuristics.

If you're getting errors still, you can add -ZZ which will give better error messages.

An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:

subject=/C=IE/CN=hostname.domain.local

you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)

A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).