A.2. Using SSL/TLS and Start TLS with LDAP Client Tools
- The appropriate environment variables must be set before running the command.
- The appropriate arguments must be passed with the command to identify the server to which to connect. This requires either
-Hto specify an LDAP or LDAPI URL or
-pto give the fully-qualified domain name and port of the server.
NoteThe fully-qualified domain name is always required with the
-hoption. This prevents man-in-the-middle attacks.
- SSL/TLS must be specified. This can be done by invoking Start TLS with the
-ZZ(force Start TLS) options. Start TLS is described in Section 7.5, “Command-Line Functions for Start TLS”. For example:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -x -ZZ "(objectclass=*)"Alternatively, this can be done using the LDAPS protocol with
-Hor using the secure LDAPS port with the
-poption. Although using the
ldapsprotocol is supported, it is deprecated. The recommended method is to use Start TLS.
ldap.conffile. To edit per-user SSL/TLS configuration for LDAP tools, edit the
$HOME/.ldaprcprofile for the specific user. Whichever file is edited, the same configuration parameters need to be set.
- Open the
$HOME/.ldaprcprofile. For example:
NoteThese parameters can also be set as environment variables. See Table A.1, “LDAP Tools Environment Variables” for the variable names.
- Add a line to define the security databases directory location. This is required.
- Optionally, add lines for the client certificate name and token database password for the Directory Server's NSS security databases. This allows certificate-based client authentication.
TLS_CERT Server-Cert TLS_KEY internal:secret
-ZZopens a Start TLS connection and forces the use of TLS or the operation fails:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "dc=example,dc=com" -s sub -x -ZZ "(objectclass=*)"
-xallows simple (user name/password) binds. Alternatively, use the
-Y EXTERNALoption to indicate that an authentication method other than SASL is being used. The
-Y EXTERNALargument can be used with client authentication:
ldapsearch -H ldaps://server.example.com:636 -b "dc=example,dc=com" -Y EXTERNAL "givenname=Richard"