LDAP

Add CA to Trust Store on LDAP Client

Assuming LDAP/Active Directory is being hosted on 636 over SSL.

Run the following to convert the cert file into a pem file

openssl x509 -inform der -in <ca>.crt -out <ca>.pem

Run the following to import the cert into the openldap certs db

certutil -A -d /etc/openldap/certs -n "<ca>" -t CT,, -a -i <ca>.pem
   -A 		     Add certificate to the database
   -d certdir        Cert database directory (default is ~/.netscape)
   -n cert-name      Specify the nickname of the certificate to add
   -t trustargs      Set the certificate trust attributes:
                      trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,
                      and z is for code signing. Use ,, for no explicit trust.
                      p      prohibited (explicitly distrusted)
                      P      trusted peer
                      c      valid CA
                      T      trusted CA to issue client certs (implies c)
                      C      trusted CA to issue server certs (implies c)
                      u      user cert
                      w      send warning
                      g      make step-up cert
   -a                The input certificate is encoded in ASCII (RFC1113)
   -i input          Specify the certificate file (default is stdin)


certutil -L -d /etc/openldap/certs lists the certs in the db

certutil -D -d /etc/openldap/certs -n <ca> deletes the cert

certutil -H shows help

certutil -H -<command> shows more detailed help

Trust Self Signed Certificate

openssl s_client -connect <host>:636 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <certtotrust>.pem

certutil -A -d /etc/openldap/certs -n "<certtotrust>" -t CT,, -a <certtotrust>.pem

Test

openssl s_client -CApath /etc/openldap/certs/ -connect <url>:636

convert CACert to PEM

openssl x509 -inform der -in <file>.cer -out <file>.pem

other commands

openssl s_client -tls1_2 -connect <fqdn>:<port> -CApath /etc/openldap/certs/

openssl s_client -ssl1 -connect <fqdn>:<port> -CApath /etc/openldap/certs/

openssl s_client -ssl2 -connect <fqdn>:<port> -CApath /etc/openldap/certs/

openssl s_client -ssl3 -connect <fqdn>:<port> -CApath /etc/openldap/certs/

openssl s_client -connect <fqdn>:<port> -CApath /etc/openldap/certs/

LDAP Commands

This will delete all users in LDAP without destroying the groups:

ldapsearch -z max -h localhost -p 389 -D "cn=<dm_user>" -w <dm_pass> -b "dc=<dn>" -LL | grep "^<linestart>" | sed -e 's/^<linestart>//g' | ldapdelete -c -h localhost -p 389 -D "cn=<dm_user>" -w <dm_pass>

And importing the ldif file:

ldapmodify -c -h localhost -p 389 -D "cn=<dm_user>" -w <dm_pass> -a -f ./<file_to_import>.ldif

LDAP Query using uid=

ldapsearch  -x -LLL -h <ldap_host> -p 389 -D "uid=<uid+dn>" -W -b <dn> -W uid=<uid>

Open LDAP - jrwhetse/jrwhetse.github.io GitHub Wiki

LDAP

Add CA to Trust Store on LDAP Client

convert CACert to PEM

other commands

LDAP Commands

This will delete all users in LDAP without destroying the groups:

And importing the ldif file:

LDAP Query using uid=

⚠️ GitHub.com Fallback ⚠️

Open LDAP - jrwhetse/jrwhetse.github.io GitHub Wiki

LDAP

Add CA to Trust Store on LDAP Client

convert CACert to PEM

other commands

LDAP Commands

This will delete all users in LDAP without destroying the groups:

And importing the ldif file:

LDAP Query using uid=

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️