Support Questions
Find answers, ask questions, and share your expertise

How to test LDAPS url from Linux?

New Contributor

I am trying to enable kerberos with existing Active Directory KDC.

Need to test ldaps url from RHEL Linux

1 ACCEPTED SOLUTION

Accepted Solutions

@Sivaprakasam Theivanayagam

There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility:

openssl s_client -connect HOST:PORT

To grab the SSL certificate you can use the following command:

openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem

Example:
openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem

You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to).

To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it.

The following command can be used to test connectivity and list the distinguished names contained in the base DN:

ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn
               -ZZ: Start TLS (for LDAPS)
               -h: IP/hostname of Active Directory server
               -D: BindDN or User principal name
               -W: Password (to be provided interactively)
               -b: Base DN for search (where in the LDAP tree to start looking) 

Example:
ldapsearch -ZZ -h  ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn

This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert.

To not use TLS/SSL, remove the -ZZ from the command line.

To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line

    TLS_REQCERT never 

View solution in original post

3 REPLIES 3

@Sivaprakasam Theivanayagam

There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility:

openssl s_client -connect HOST:PORT

To grab the SSL certificate you can use the following command:

openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem

Example:
openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem

You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to).

To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it.

The following command can be used to test connectivity and list the distinguished names contained in the base DN:

ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn
               -ZZ: Start TLS (for LDAPS)
               -h: IP/hostname of Active Directory server
               -D: BindDN or User principal name
               -W: Password (to be provided interactively)
               -b: Base DN for search (where in the LDAP tree to start looking) 

Example:
ldapsearch -ZZ -h  ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn

This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert.

To not use TLS/SSL, remove the -ZZ from the command line.

To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line

    TLS_REQCERT never 

View solution in original post

New Contributor

Thanks!! Robert Levas

I performed ldaps url testing. I have issue with ldaps connection on Linux. can you help me?

In RHEL

> ldapsearch is working with ldap (adserver : 3268)

> It is not working for ldaps (adserver : 636)

> But the same ldaps (adserver : 636) I am able to connect through ldp.exe on windows machine

> it look like my RHEL server not making connection with secured port (not sure)

Error

# ldapsearch -h adserver:636 -D user@domain -W -b DC=Examble,DC=com

Enter LDAP Password: ldap_result: Can't contact LDAP server (-1)

do you have any idea to resolve the issue?

You appear to be using an Active Directory. In this case, you still want to use port 389 for LDAP and 636 for LDAPS unless there is a firewall in the way or the ports were changed on the Active Directory for some reason.

That said, it is possible that SSL was not set up for your Active Directory and therefore it is not listening for LDAPS requests on port 636. Make sure that LDAPS is enabled on your Active Directory.