This issue arises as customers want to confirm certificate-based authentication using CA Directory using ldapsearch and/or dxsearch. The step one is configure a DSA that only accepts certificate authentication.

CA Directory 14.1/Linux

The dxsearch utility as it is does not seem to have the ability to use certificate to authenticate with a CA Directory DSA. Out of the box, we do have the samples dua and ldua that can be used for this purpose.

Here we use the out-of-the-box samples/democorp, samples/unspsc, and samples/ssl as the base to demonstrate how a CA Directory DSA can be configured to accept certificate only authentication.

Install OpenLDAP clients

1. install the openldap client to make available of ldapsearch as dxsearch does not seem to have the ability to use certificate to authenticate.install the openldap client to make available of ldapsearch as dxsearch does not seem to have the ability to use certificate to authenticate.
2. depends on your OS distribution, the installation differs, it could be
   1. yum install openldap-clients
   2. apt install ldap-utils
   3. or ...

Setup Steps

1. login as user dsa
2. go to samples/democorp to run "./setup.sh" to setup and start the democorp DSA
3. go to samples/unspsc to run "./setup.sh" to setup and start the unspsc DSA. For our testing, setting up unspsc is required to the samples/ssl to setup successfully.
4. go to samples/ssl to run "./setup.sh SHA1" to have it configure the unspsc, democorp DSAs and generate two certificates in PEM format for us to use.
5. give "Marco Drew" a password
   create a marcotest.ldf using the following content
   
   dn: cn=Marco Drew,ou=Information,ou=Corporate,o=Democorp,c=au
   changetype: modify
   userpassword: test
   
   run 'dxmodify -h "$(hostname)" -p 19389 -c -f marcotest.ldf'
6. modify the config/knowledge/democorp.dxc, so that the authlevels is set to "auth-levels   = ssl-auth"
7. use "dxserver stop democorp; dxserver start democorp" to restart the democorp DSA

Verification using ldapsearch: The marco_drew.pem file used below was created after samples/ssl setup. There are actually two ways to set the certificate used to authenticate:

1. LDAPTLS_REQCERT=never \
   SASL_MECH=external \
   LDAPTLS_CACERT=/opt/CA/Directory/dxserver/config/ssld/trusted.pem \
   LDAPTLS_CERT=/opt/CA/Directory/dxserver/samples/ssl/marco_drew.pem \
   LDAPTLS_KEY=/opt/CA/Directory/dxserver/samples/ssl/marco_drew.pem \
   ldapsearch -H ldaps://"$(hostname)":19389 -b "o=democorp,c=au" 'userpassword=*'
2. Put the following in the ~/.ldaprc
   
   TLS_REQCERT never
   TLS_CACERT /opt/CA/Directory/dxserver/config/ssld/trusted.pem
   TLS_CERT /opt/CA/Directory/dxserver/samples/ssl/marco_drew.pem
   TLS_KEY /opt/CA/Directory/dxserver/samples/ssl/marco_drew.pem
   SASL_MECH external
   
   and then simply run
   
   ldapsearch -H ldaps://"$(hostname)":19389 -b "o=democorp,c=au" 'userpassword=*'
   
   to get the same result.

Also, the following run using the Marco Drew DN and password with fail

ldapsearch -H ldaps://"$(hostname)":19389 -D "cn=Marco DREW,ou=Information,ou=Corporate,o=DEMOCORP,c=AU" -w test \
-b "o=democorp,c=au" 'userpassword=*'

and received

ldap_bind: Inappropriate authentication (48)

LDAP.CONF(5) - OpenLDAP LDAP.CONF man page

OpenLDAP Client is one of the most popular ldap clients. There are many other ldap clients out there including dxsearch, ldua out of the CA Directory installation and jxplorer that CA Technology donated to the open-source community. The ability to use certificate instead of DN/password varies. It is client specific and hence one will need to consult its specific documentation to determine whether/how it can handle the certificate-based authentication.