How can I bind to CA Directory using LDAPsearch over SSL?
search cancel

How can I bind to CA Directory using LDAPsearch over SSL?

book

Article ID: 50843

calendar_today

Updated On: 10-03-2023

Products

CA Directory CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

This technical document guides the user through the process of using LDAPSearch to connect to the directory over SSL.

Environment

Release:
Component: ETRDIR

Resolution

In order to use LDAPsearch to connect to the directory over SSL, the LDAPsearch utility needs to trust the same RootCA certificate that published the CA Directory DSA certificates.

The method of setting up this trust and execution of LDAPSearch (SSL) is documented below.

Configure LDAPSearch to trust the RootCA

This step assumes that the RootCA certificate (in PEM format) that signed the DSA certificates is located in the file " C:\Program Files\CA\Directory\dxserver\config\ssld\trusted.pem ".

  1. Add the following text to a new file titled: C:\ldapsearch.config

         TLS_CACERT "C:\Program Files\CA\Directory\dxserver\config\ssld\trusted.pem"     #TLS_REQCERT never
    The TLS_CACERT parameter should point to the rootCA certificate file that is trusted by the DSA.

  2. Add a system environment variable called " LDAPCONF " and point it to the file titled: C:\ldapsearch.config

Executing LDAPSearch with the SSL flag

  1. Open a new command prompt and issue the LDAPsearch command with the -Z option. This will generate the output:

    C:\>ldapsearch -h 127.0.0.1 -p 19389 -Z -b o=Democorp,c=AU "(cn=*)"

  2. Confirm that you trust the DSA personality certificate presented.

         The server is using the following certificate:         Subject DN:  CN=democorp, O=democorp, C=AU         Issuer DN:  CN=DXCertGenCA, O=DXCertGenPKI, C=AU         Validity:  Mon Sep 27 09:11:19 EST 2010 through Thu Sep 24 09:11:19 EST 2020     Do you wish to trust this certificate and continue connecting to the server?     Please enter "yes" or "no":yes
    Then the search will be submitted and the search results displayed.
         dn: cn=<User Name>,ou=Corporate,o=democorp,c=AU     cn: <User Name>     objectClass: inetOrgPerson     objectClass: organizationalPerson     objectClass: person     objectClass: top     sn: <Last Name>     userPassword: <EncryptedPassword>