I am trying to use ldap with ssl on Server 2008 R2. Got it all set and am able to connect using ldp.exe to the domain.example.org port 636 with the ssl checkbox. This is on the local server itself.
However – I am unable to connect using ldapsearch using ssl and port 636. No ssl and port 389 works fine using ldapsearch.
Any ideas? Do my clients need to have a certificate installed or something? I mostly just wanted to have ldap connections encrypted. Thanks for any help!
* Edit *
The command that works:
ldapsearch -x -b "dc=XX,dc=example,dc=org" -D "user@example.org" -H ldap://XX.example.org -W '(&(proxyAddresses=smtp*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
The command that doesn't work:
ldapsearch -x -b "dc=XX,dc=example,dc=org" -D "user@example.org" -H ldaps://XX.example.org:636 -W '(&(proxyAddresses=smtp*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
I have tried variations of -h and using the -p to specify the port.
How would I go about installing the certificate from the server 2008 onto the client?
Best Answer
Your clients don't need their own certificate. They just need to trust the Certificate Authority certificate (or certificate chain) that signed the LDAP server's certificate. You didn't need to worry about this on the localhost because the CA certificate was already trusted by default.
It's not clear from your question whether the LDAP server is also the Certificate Authority and whether it is using the CA certificate as the LDAP certificate as well. Normally, these are two different certificates and the Certificate Authority lives on a different machine.
Some quick google'ing indicates there's an option you can set in the ldap.conf called TLS_CACERT or an equivalent environment variable called LDAPTLS_CACERT that you can point to a file containing any/all CA certificates in your environment (base64 encoded).
If you only have a single CA in your environment, you should be able to download a base64 encoded version of its public certificate. And if you can only find a DER encoded version, you can use openssl to convert it to base64.