How To
Summary
When you are configuring the IBM Cloud Private (ICP) to connect to the LDAP over SSL/TLS (LDAPS), it may sometimes be necessary to test the CA cert and SSL/TLS connection. Verify that the handshake to the LDAP server can be performed successfully and that a simple LDAP search request can get a usable response from the LDAP server. It is helpful to test the CA certificate and connection from a server before configuring the LDAP over SSL for the IBM Cloud Private
This TechNote explains how to run the test using ldapsearch utility and how to retrieve the CA root certificate from an LDAP server
Objective
Steps
- How to retrieve the CA root certificate from an LDAP server
- How to run the test using ldapsearch utility
The ldapsearch client is included in the openldap-client package. If it is not already installed on your server, use the following command to install it
Red Hat Enterprise Linux (RHEL)
yum install openldap-clients -y
For Ubuntu
apt install ldap-utils
Retrieving the SSL certificate:
* You may have the option of requesting a copy of the LDAP's root signing certificate directly from the LDAP administrator. If you obtain the certificate that way, skip this section.
* You can retrieve the LDAP's root signing certificate using the openssl s_client, which is described in this section
Using the
-showcerts option of s_client we can show all certificates the LDAP server sends during a handshake, including the issuing and intermediate certificates:The following command will split the certificate and create multiple cert file. Replace the LDAPserver:port and the name of the output file .
openssl s_client -showcerts -verify 5 -connect bluepages.ibm.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
verify depth is 5
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
verify return:1
depth=0 C = US, ST = New York, L = Armonk, O = INTERNATIONAL BUSINESS MACHINES CORPORATION, CN = bluepages.ibm.com
verify return:1
DONE
You will find multiple .pem files in the current directory.
ls -l
-rw-r--r-- 1 root root 2508 Dec 14 17:13 bluePage-cert1.pem
-rw-r--r-- 1 root root 1639 Dec 14 17:13 bluePage-cert2.pem
-rw-r--r-- 1 root root 1294 Dec 14 17:13 bluePage-cert3.pem
Verify and find the root ca certificate file to use for the ldapsearch to connect to the LDAP server.
for cert in *.pem; do openssl verify -show_chain $cert ; done
C = US, ST = New York, L = Armonk, O = INTERNATIONAL BUSINESS MACHINES CORPORATION, CN = bluepages.ibm.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error bluePage-cert1.pem: verification failed
error 20 at 0 depth lookup: unable to get local issuer certificate
error bluePage-cert1.pem: verification failed
bluePage-cert2.pem: OK
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1 (untrusted)
depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
bluePage-cert3.pem: OK
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
In the above example, bluePage-cert3.pem contains the "DigiCert Global Root G2" . Find the root ca for your LDAP server; it will typically be the final certificate in the chain presented by the LDAP server.
Configure the ldapsearch client to use the cert you created:
The "/etc/openldap/ldap.conf" configuration file is used for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, and so on.
Add the cert filename including the full path in ldap.config file. You can use TLS_CACERT or TLSCACERTDIR directive.
Add the cert filename including the full path in ldap.config file. You can use TLS_CACERT or TLSCACERTDIR directive.
The TLS_CACERT directive specifies a file containing certificates for all of the Certificate Authorities the client will recognize. ( TLS_CACERT /etc/openldap/certs/bluePage-cert3.pem )
The TLSCACERTDIR directive Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. ( TLSCACERTDIR /etc/ssl/certs )
The TLSCACERTDIR directive Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. ( TLSCACERTDIR /etc/ssl/certs )
The TLS_CACERT is always used before TLS_CACERTDIR.`
For the connection test use the TLS_CACSRT directive and add the full path of the ca certificate
vi /etc/openldap/ldap.conf.....TLS_CACERT /etc/openldap/certs/bluePage-cert3.pem
.....
Test the certificate using the ldapsearch command
ldapsearch -H ldaps://bluepages.ibm.com:636 -d 1 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))"
Where -H URI LDAP Uniform Resource Identifier(s)-d level set LDAP debugging level to `level'
-b basedn base dn for search
-D binddn bind DN
-s scope search scope one of base, one, sub or children
If the correct cert is added to the ldap config file The out out will be `result: 0 Success`ldapsearch -H ldaps://bluepages.ibm.com:636 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))"# extended LDIF
# LDAPv3
# base <o=ibm.com> with scope baseObject
# filter: (&(emailAddress=%v)(objectclass=ePerson))
# requesting: ALL
# search resultsearch: 2
result: 0 Success# numResponses: 1
If you use the wrong certificate output will be
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
You can use the "-d 1" option to debug the ldapsearch connection and certificate issue
ldapsearch -d 1 -H ldaps://bluepages.ibm.com:636 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))"
output for debug levl 1
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636)
ldap_create
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bluepages.ibm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.57.182.78:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@spmtestquotaocp423-inf 333]#
[root@spmtestquotaocp423-inf 333]# ldapsearch -H ldaps://bluepages.ibm.com:636 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))" -d 1
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636)
ldap_create
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bluepages.ibm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.57.182.78:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
```
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"ARM Category":[{"code":"a8m0z0000001kKAAAY","label":"CommonServices->Security->LDAP"}],"ARM Case Number":"TS004632088","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Product Synonym
icp;common services;
Was this topic helpful?
Document Information
Modified date:
15 December 2020
UID
ibm16382146