Wednesday, August 03, 2011

ldapsearch SSL with ApacheDS

Self signed certificates are treated different by the ldap cli tools.

The task was to connect with ldapsearch to a remote ApacheDS server serving SSL. Long story short the certificate is self signed and only certain IP range can access the server via LDAP over SSL (TLS).

Here are the steps showing how to configure ldapsearch and the rest of ldap tools to work with SSL (both signed and self signed):

  1. If not using self signed certificate then get the server certificate
    $ openssl s_client -connect ldap.nestorurquiza.com:636
    
  2. Non self signed certificate: Create a file with the contents from "-----BEGIN CERTIFICATE-----" up to "-----END CERTIFICATE-----") from the previous command
    $ sudo mkdir /etc/openldap/certs/
    $ vi /etc/openldap/certs/ldap.nestorurquiza.com.cert
    
  3. Be sure your certificate is not self signed. Basically check for a return code=0, not someting like "Verify return code: 18 (self signed certificate)"
    $ openssl s_client -connect ldap.nestorurquiza.com:636 -CAfile ldap.nestorurquiza.com.cert
    
  4. Edit the ldap configuration
    $ vi /etc/openldap/ldap.conf
    ...
    #Use the below if you want ldapsearch to work with self signed certificate. Probably a better option security wise is to buy a certificate right ;-) Note that the path is for OSX. For Ubuntu it is /etc/ldap/certs...
    #TLS_REQCERT    demand
    TLS_REQCERT     never
    #Use the below for non self signed certificates
    #TLS_CERT    /etc/openldap/certs/ldap.nestorurquiza.com.cert
    
  5. Run an ldapsearch command to be usre you get the ldif result
    ldapsearch -x -v -H ldaps://ldap.nestorurquiza.com:10636 -D "uid=admin,ou=system" -w 'secretPassword' -b "o=nestorurquiza"
    

No comments:

Followers