• Sun
    September 4, 2007

ldapsearch to search DS with SSL enabled

Guest Author
Normally, you don't have any problem to run ldapsearch on a directory server without SSL enabled. The ldapsearch can be of any version, even the default one of Solaris system works. However, if the directory server instance runs on secure port, you might run into lots of trouble.
When using the default /bin/ldapsearch, it reads cert from cert7.db and mostly you could get error "ldap_simple_bind: Can't contact LDAP server" from a target DS of JES5. In ldap access log, error is "B4 - Server failed to flush BER data back to client".
You would better to use the ldapsearch command coming with the DS6.0 /opt/SUNWdsee/dsee6/bin/ldapsearch and pass the cert8.db of the target DS itself as the parameter of -P option. For example, /opt/SUNWdsee/dsee6/bin/ldapsearch -h -p -D "cn=directory manager" -w password -P /var/opt/SUNWdsee/dsins2/alias/slapd-cert8.db -b "dc=com" -Z "uid=\*".
Of course, you have to run the above on the machine where DS is installed. If you need to run it on a different machine, the easiest way is to copy/ftp the file cert8.db and key3.db used by the DS to the remote client machine. I could use the ldapsearch coming with JES4 in this way. For example,
cp /var/opt/SUNWdsee/dsins2/alias/slapd-\*.db /tmp/.
/var/opt/mps/serverroot/shared/bin/ldapsearch -h -p -D
"cn=directory manager" -w password -P /tmp/slapd-cert8.db -b "dc=com" -Z "uid=\*".
If you get error "ld.so.1: ldapsearch: fatal: libldap50.so: open failed: No such file or directory", you would need to "setenv LD_LIBRARY_PATH /usr/lib/mps:$LD_LIBRARY_PATH"

Join the discussion

Comments ( 2 )
  • Olivier G Tuesday, September 8, 2009

    usefull to know, but didn't solve my prob :(

    i'm trying to ldapsearch on my SSL DS from other machines and can't manage to do it :(

    from another solaris with native ldapsearch or any Linux, it doesn't work (:

    i tried to copy both cert8/key3 files in /var/ldap and try to give the path to -P /var/ldap/cert8.db, but i still can't connect.

    do i have to modify something with certutil on my clients ? or install a recent version of ldapsearch or something ?

    thanks again

  • Gang Chen Tuesday, September 8, 2009

    Olivier, is the cert8/key3 files in /var/ldap used by your DS instance?

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.