Thursday, November 8, 2012

ldapsearch over SSL

Recently I found with an issue with some ldap latency between a WAS server and an ldap farm having to do several hops to get there I needed to find out if the connection was working and also how long where they taking... running tcpdump or wireshark traces help but does not give you a real view of how ldap is working ... so I decided to configure ldapclient in this server and do some testing... and this might not work the same in all the environment but will be a good guide. 

First install ldapclient in my case running on RHEL I also needed the openldap package to be installed once this is completed you are able to execute the ldapsearch command... 

But that will be pretty much enough for a regular environment but in my case I had to go thru SSL using port 636 (secure) instead of 389 (insecure) so you have to do a modification to the /etc/openldap/ldap.conf file and add the following lines... 

HOST
PORT 636
TLS_CACERT  
TLS_REQCERT demand


Easy huh? now if you wonder how can you get the certificate to be used... well use this command

echo -n | openssl s_client -connect :636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

now how can I check what is being accepted for search in the ldap server... at least

ldapsearch -x -H ldaps:// -b "o=domain.com" 

and you will receive a line sort of like this 

uniquemember: uid=########,c=us,ou=ldapserver,o=domain.com

so now you can narrow your search as follows to look for us folks

ldapsearch -x -H ldaps:// -b "c=us,ou=ldapserver,o=domain.com" 

and then you go to webpshere console and look for those fields that we can access as 


and now you can look by mail, cn, and uid as follows 

ldapsearch -x -H ldaps:// -b "c=us,ou=ldapserver,o=domain.com" "mail=name@domain.com"

Now to check the response times use the following... 

while true
do  
/usr/bin/time -f "\t%e" 2>> /tmp/ldapresponse.out ldapsearch -x -H ldaps:// -b "c=us,ou=ldapserver,o=domain.com" "mail=name@domain.com" > /dev/null
done

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.