ldapsearch to search DS with SSL enabled

Normally, you don't have any problem to run ldapsearch on a directory server without SSL enabled. The ldapsearch can be of any version, even the default one of Solaris system works. However, if the directory server instance runs on secure port, you might run into lots of trouble.

When using the default /bin/ldapsearch, it reads cert from cert7.db and mostly you could get error "ldap_simple_bind: Can't contact LDAP server" from a target DS of JES5. In ldap access log, error is "B4 - Server failed to flush BER data back to client".

You would better to use the ldapsearch command coming with the DS6.0 /opt/SUNWdsee/dsee6/bin/ldapsearch and pass the cert8.db of the target DS itself as the parameter of -P option. For example, /opt/SUNWdsee/dsee6/bin/ldapsearch -h -p -D "cn=directory manager" -w password -P /var/opt/SUNWdsee/dsins2/alias/slapd-cert8.db -b "dc=com" -Z "uid=\*".

Of course, you have to run the above on the machine where DS is installed. If you need to run it on a different machine, the easiest way is to copy/ftp the file cert8.db and key3.db used by the DS to the remote client machine. I could use the ldapsearch coming with JES4 in this way. For example,
cp /var/opt/SUNWdsee/dsins2/alias/slapd-\*.db /tmp/.
/var/opt/mps/serverroot/shared/bin/ldapsearch -h -p -D
"cn=directory manager" -w password -P /tmp/slapd-cert8.db -b "dc=com" -Z "uid=\*".

If you get error "ld.so.1: ldapsearch: fatal: libldap50.so: open failed: No such file or directory", you would need to "setenv LD_LIBRARY_PATH /usr/lib/mps:$LD_LIBRARY_PATH"

Comments:

usefull to know, but didn't solve my prob :(

i'm trying to ldapsearch on my SSL DS from other machines and can't manage to do it :(

from another solaris with native ldapsearch or any Linux, it doesn't work (:

i tried to copy both cert8/key3 files in /var/ldap and try to give the path to -P /var/ldap/cert8.db, but i still can't connect.

do i have to modify something with certutil on my clients ? or install a recent version of ldapsearch or something ?

thanks again

Posted by Olivier G on September 07, 2009 at 06:24 PM PDT #

Olivier, is the cert8/key3 files in /var/ldap used by your DS instance?

Posted by Gang Chen on September 08, 2009 at 04:41 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

gc

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today