hinchley.net

You’re on a RedHat Linux server and you want to query Active Directory using ldapsearch from OpenLDAP. To complicate matters, you want to bind to the server over a secure (LDAPS) connection. The following steps describe what you need to do.

Note: You will need to replace all instances of server.domain.com in the below steps with the name of your Active Directory server.

1. Get the CA certificate of your Active Directory server. You can do this by connecting to the server via Internet Explorer using the following URL: https://server.domain.com:636/. A little padlock should appear at the bottom of the browser window in Internet Explorer 6.0, or near the address bar at the top of the window in Internet Explorer 7.0. Click the icon and view the certificate. Click on the Certification Path tab. Select the certificate at the top of the certification tree and click View Certificate. Click the Details tab of the new dialog, and then click the Copy to File button. This will launch the Certificate Export Wizard. Use the wizard to export the CA certificate in DER encoded binary X.509 format (.CER). Save the file as c:\temp\ca.cer.

2. Convert the CA certificate into PEM format. To do this you will need OpenSSL installed. You could do this from your Linux server, or if you want, you can download and install a port of OpenSSL under Windows. Let’s assume you have OpenSSL setup and running on your Windows workstation; open a command prompt, navigate to C:\openssl\bin\ (or the equivalent for your installation) and run the following command:

openssl x509 -inform DER -outform PEM -in c:\temp\ca.cer
-out ca.pem

This command will convert the CA certificate into a file in PEM format named ca.pem.

3. Deploy the CA certificate to your Linux server. Now that you have the CA certificate in the correct format, you must copy it to your Linux server. You can put it anywhere you like, but for simplicity, let’s dump it under /etc/openldap/. Now edit /etc/openldap/ldap.conf and add the following lines:

TLS_CACERT /etc/openlap/ca.pem
TLS_REQCERT allow

The first line tells OpenLDAP where to find the CA certificate. The second line permits a check to be performed on the certificate during SSL negotiation.

4. Kick off the query. It may look something like this:

ldapsearch -h 'server.domain.com' -p 636
-x -Z -D 'cn=admin,dc=domain,dc=com"
-w Passw0rd1 -b 'ou=orgunit,dc=domain,dc=com'
'samaccountname=bob' distinguishedName

This command will initiate a connection to the host named server.domain.com (-h), on port 636 (-p), using a simple bind (-x) under the context of a user named admin (-D) with a password of Passw0rd1. The query will return the distinguished name of a user with a userid (samaccountname) of bob located in the organisational unit named orgunit. And most importantly, thanks to the -Z parameter, the query will be performed over an encrypted connection. The SSL session will be established through reference to the CA certificate that we have identified in /etc/openldap/ldap.conf.

That wasn’t too hard now, was it.