The task was to connect with ldapsearch to a remote ApacheDS server serving SSL. Long story short the certificate is self signed and only certain IP range can access the server via LDAP over SSL (TLS).
Here are the steps showing how to configure ldapsearch and the rest of ldap tools to work with SSL (both signed and self signed):
- If not using self signed certificate then get the server certificate
$ openssl s_client -connect ldap.nestorurquiza.com:636
- Non self signed certificate: Create a file with the contents from "-----BEGIN CERTIFICATE-----" up to "-----END CERTIFICATE-----") from the previous command
$ sudo mkdir /etc/openldap/certs/ $ vi /etc/openldap/certs/ldap.nestorurquiza.com.cert
- Be sure your certificate is not self signed. Basically check for a return code=0, not someting like "Verify return code: 18 (self signed certificate)"
$ openssl s_client -connect ldap.nestorurquiza.com:636 -CAfile ldap.nestorurquiza.com.cert
- Edit the ldap configuration
$ vi /etc/openldap/ldap.conf ... #Use the below if you want ldapsearch to work with self signed certificate. Probably a better option security wise is to buy a certificate right ;-) Note that the path is for OSX. For Ubuntu it is /etc/ldap/certs... #TLS_REQCERT demand TLS_REQCERT never #Use the below for non self signed certificates #TLS_CERT /etc/openldap/certs/ldap.nestorurquiza.com.cert
- Run an ldapsearch command to be usre you get the ldif result
ldapsearch -x -v -H ldaps://ldap.nestorurquiza.com:10636 -D "uid=admin,ou=system" -w 'secretPassword' -b "o=nestorurquiza"