Sunday, April 6, 2014

Testing Active Directory SSL in LINUX with OpenLDAP

When setting up MicroStrategy LDAP Authentication over SSL (port 636), found that testing in the shell was very helpful.

If you have the latest OpenLDAP package installed in Linux, you can run "ldapsearch" command.

This is an example:

ldapsearch -x -s base -H ldaps://.domain.com -b "" "(objectclass=*)"

ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This is if you have not set a CA or updated the default location, for default location check /etc/openldap/ldap.conf

Add the root CA for the Active Directory host to some location, either the default location or say /u01/MSTR/certs

If using a new location:

export LDAPTLS_CACERT=/u01/MSTR/certs/cert.pem

ldapsearch -x -s base -H ldaps://.domain.com -b "" "(objectclass=*)" |grep result

# search result
result: 0 Success

This indicates that connection works and you are getting a result. If you don't grep out the results you will get a large output.

References used:

http://www.openldap.org/lists/openldap-technical/201103/msg00317.html
http://www.commandlinefu.com/commands/view/2402/ldap-search-to-query-an-activedirectory-server
http://technet.microsoft.com/library/bb463158
http://techies.ncsu.edu/wiki/How_to_get_OpenSSL_to_recognise_an_Active_Directory_CA
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)