Connect to an LDAP server securely with SSL from the command line.

  • 7014867
  • 07-Apr-2014
  • 07-Apr-2014

Environment

NetIQ eDirectory 8.7 SP3
Novell LDAP Server

Situation

Cannot access LDAP over secure port 636 from the command line
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
ldap_bind: Can't contact LDAP server (-1)
Connect to an LDAP server securely with SSL from the command line.

Resolution

Novell's version of ldapsearch that comes with the NLDAP-base package does support specifying a DER file exported from eDirectory (TID# 10064408, steps 1-5; iManager 2.x does the same thing browsing to the Organizational CA or to a server's SSL certificate).

The syntax for an anonymous bind, assuming a valid DER file has been exported to /tmp/testCert.der, is:

ldapsearch -h 192.168.0.1 -p 636 -e /tmp/testCert.der

An authenticated bind would be as follows:

ldapsearch -h 192.168.0.1 -p 636 -e /tmp/testCert.der -D cn=admin,o=novell -W

In either command substitute in your own server's IP address and, if changed from 636, port number.  For the second command put in your adminsitrative user's full context (minus the Tree name) in LDAP (comma-separated) format.

The NLDAP-base package is installed by default to /usr/ldaptools and the ldapsearch command's path on OES Linux is /usr/ldaptools/bin/ldapsearch so if your $PATH variable has /usr/bin listed before /usr/ldaptools/bin you may need to specify the full path of the ldapsearch command listed above in order to make the command work correctly.

To see which command is specified without a full context entered you can type `which ldapsearch` (minus the backticks).  To have the /usr/ldaptools/bin version show up first you can change your PATH environment variable to search /usr/ldaptools/bin first.  Documentation on procedures to perform that operation are available online.

Additional Information

OpenLDAP's version of ldapsearch does not appear to automatically pull the SSL certificate from an LDAPS server.
Formerly known as TID# NOVL102930
Formerly known as TID# 10098437

Feedback service temporarily unavailable. For content questions or problems, please contact Support.