LDAP search user based on certificate in Linux command line
I want to Search a user using ldapsearch.
But The hosting provider given some certificate (CA). I added that certificate in my ldapconf. So Before executing ldapsearch command I am running openssl as follows
openssl s_client -connect hostname -CAfile /certificate.pem
after connecting via openssl I am executing the following command in a other terminal
ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net
Now I want to know is there any way to use the certificate while executing ldapsearch command
Answer
This should be doable by performing:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net
although, I'd use:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D [email protected], dc=global,dc=example,dc=net
to ensure that it tries with ldaps, rather than heuristics.
If you're getting errors still, you can add -ZZ which will give better error messages.
An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:
subject=/C=IE/CN=hostname.domain.local
you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)
A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).