LDAP search user based on certificate in Linux command line

Question

I want to search a user using ldapsearch, but the hosting provider gave me a certificate from the CA. I added that certificate in my ldapconf.

Before executing the ldapsearch command I am running openssl as follows

openssl s_client -connect hostname -CAfile /certificate.pem

After connecting via openssl, I execute the following command in another terminal

ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net 

Now I want to know, is there any way to use the certificate while executing the ldapsearch command?

Answer 1

This should be doable by performing:

env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D [email protected], dc=global,dc=example,dc=net

although, I'd use:

env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D [email protected], dc=global,dc=example,dc=net

to ensure that it tries with ldaps, rather than heuristics.

If you're getting errors still, you can add -ZZ which will give better error messages.

An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:

subject=/C=IE/CN=hostname.domain.local

you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)

A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).