Show Table of Contents
A.2. Using SSL/TLS and Start TLS with LDAP Client Tools
There are three things that must be configured for SSL/TLS connections with LDAP command-line tools:
- The appropriate environment variables must be set before running the command.
- The appropriate arguments must be passed with the command to identify the server to which to connect. This requires either
-Hto specify an LDAP or LDAPI URL or-hand-pto give the fully-qualified domain name and port of the server.Note
The fully-qualified domain name is always required with the-hoption. This prevents man-in-the-middle attacks. - SSL/TLS must be specified. This can be done by invoking Start TLS with the
-Zor-ZZ(force Start TLS) options. Start TLS is described in Section 7.5, “Command-Line Functions for Start TLS”. For example:ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -x -ZZ "(objectclass=*)"
Alternatively, this can be done using the LDAPS protocol with-Hor using the secure LDAPS port with the-poption. Although using theldapsprotocol is supported, it is deprecated. The recommended method is to use Start TLS.
When using SSL/TLS with LDAP command-line tools for client connections, the appropriate TLS environment variables (Section A.1, “Environment Variables Used with LDAP Client Tools”) must be set in order to access the required security databases and certificates.
To set up system-wide SSL/TLS configuration for LDAP tools, edit the
ldap.conf file. To edit per-user SSL/TLS configuration for LDAP tools, edit the $HOME/.ldaprc profile for the specific user. Whichever file is edited, the same configuration parameters need to be set.
- Open the
ldap.conffile or$HOME/.ldaprcprofile. For example:vim /etc/openldap/ldap.conf
Note
These parameters can also be set as environment variables. See Table A.1, “LDAP Tools Environment Variables” for the variable names. - Add a line to define the security databases directory location. This is required.
TLS_CACERTDIR /etc/dirsrv/slapd-instance_name
- Optionally, add lines for the client certificate name and token database password for the Directory Server's NSS security databases. This allows certificate-based client authentication.
TLS_CERT Server-Cert TLS_KEY internal:secret
Once the security databases parameters are set, then SSL connections can be invoked with the LDAP command-line tools. For example, using
-ZZ opens a Start TLS connection and forces the use of TLS or the operation fails:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -x -ZZ "(objectclass=*)"
The
-x allows simple (user name/password) binds. Alternatively, use the -Y EXTERNAL option to indicate that an authentication method other than SASL is being used. The -Y EXTERNAL argument can be used with client authentication:
ldapsearch -H ldaps://server.example.com:636 -b "dc=example,dc=com" -Y EXTERNAL "givenname=Richard"
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.