How To
Summary
When you are configuring the IBM Cloud Private (ICP) to connect to the LDAP over SSL/TLS (LDAPS), it may sometimes be necessary to test the CA cert and SSL/TLS connection. Verify that the handshake to the LDAP server can be performed successfully and that a simple LDAP search request can get a usable response from the LDAP server. It is helpful to test the CA certificate and connection from a server before configuring the LDAP over SSL for the IBM Cloud Private
This TechNote explains how to run the test using ldapsearch utility and how to retrieve the CA root certificate from an LDAP server
Objective
Steps
- How to retrieve the CA root certificate from an LDAP server
- How to run the test using ldapsearch utility
yum install openldap-clients -y
apt install ldap-utils
-showcerts
option of s_client
we can show all certificates the LDAP server sends during a handshake, including the issuing and intermediate certificates:The following command will split the certificate and create multiple cert file. Replace the LDAPserver:port and the name of the output file .
openssl s_client -showcerts -verify 5 -connect bluepages.ibm.com:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
verify depth is 5
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
verify return:1
depth=0 C = US, ST = New York, L = Armonk, O = INTERNATIONAL BUSINESS MACHINES CORPORATION, CN = bluepages.ibm.com
verify return:1
DONE
ls -l
-rw-r--r-- 1 root root 2508 Dec 14 17:13 bluePage-cert1.pem
-rw-r--r-- 1 root root 1639 Dec 14 17:13 bluePage-cert2.pem
-rw-r--r-- 1 root root 1294 Dec 14 17:13 bluePage-cert3.pem
for cert in *.pem; do openssl verify -show_chain $cert ; done
error 20 at 0 depth lookup: unable to get local issuer certificate
error bluePage-cert1.pem: verification failed
bluePage-cert2.pem: OK
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1 (untrusted)
depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Add the cert filename including the full path in ldap.config file. You can use TLS_CACERT or TLSCACERTDIR directive.
The TLSCACERTDIR directive Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. ( TLSCACERTDIR /etc/ssl/certs )
For the connection test use the TLS_CACSRT directive and add the full path of the ca certificate
vi /etc/openldap/ldap.conf
.....TLS_CACERT /etc/openldap/certs/bluePage-cert3.pem
.....
ldapsearch -H ldaps://bluepages.ibm.com:636 -d 1 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))"
Where -H URI LDAP Uniform Resource Identifier(s)-d level set LDAP debugging level to `level'
-b basedn base dn for search
-D binddn bind DN
-s scope search scope one of base, one, sub or children
If the correct cert is added to the ldap config file The out out will be `result: 0 Success`ldapsearch -H ldaps://bluepages.ibm.com:636 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))"
# extended LDIF
# LDAPv3
# base <o=ibm.com> with scope baseObject
# filter: (&(emailAddress=%v)(objectclass=ePerson))
# requesting: ALL
# search resultsearch: 2
result: 0 Success# numResponses: 1
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldapsearch -d 1 -H ldaps://bluepages.ibm.com:636 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))"
output for debug levl 1
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636)
ldap_create
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bluepages.ibm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.57.182.78:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@spmtestquotaocp423-inf 333]#
[root@spmtestquotaocp423-inf 333]# ldapsearch -H ldaps://bluepages.ibm.com:636 -b o=ibm.com -D "" -s base "(&(emailAddress=%v)(objectclass=ePerson))" -d 1
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636)
ldap_create
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bluepages.ibm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.57.182.78:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
```
Related Information
Document Location
Worldwide
Product Synonym
icp;common services;
Was this topic helpful?
Document Information
Modified date:
15 December 2020
UID
ibm16382146