Using ldapsearch to query against the insecure port of a Windows Domain Controller is straightforward. However, it can be challenging to get all the pieces in place for a production environment where the secure port must be used and the root CA certificate is typically not from a public CA.
Assuming the standard insecure port is available, it’s always good to start by validating the basic query and binding user credentials.
# ensure utility is installed sudo apt-get install ldap-utils -y # general syntax of ldapsearch # ldapsearch -H ldap://<host>:389 -D <bindinguser> -w <bindPass> -b <searchBase> -s sub <filter> <attribute> # run query against insecure port for quick validation ldapsearch -LLL -H ldap://flee-dc1.fabian.lee:389 -D ldapsvcaccount -w "svcaccountP4ss!" -b CN=Users,DC=FABIAN,DC=LEE -s sub "cn=ldapsvcaccount" dn
Attempt querying the secure port by switching the protocol to ‘ldaps’ and port to 636.
ldapsearch -LLL -H ldaps://flee-dc1.fabian.lee:636 -D ldapsvcaccount -w "svcaccountP4ss!" -b CN=Users,DC=FABIAN,DC=LEE -s sub "cn=ldapsvcaccount" dn
If this fails (e.g. ldap_sasl_bind(SIMPLE): Can’t contact LDAP server), then verify network availability at port 636 and copy the root CA certificate unto the host before trying again.
# verify if the domain controller is available on secure port nc -vz flee-dc1.fabian.lee 636 # show certs of domain controller # this will show the cert, but NOT the root CA cert # which is necessary to validate TLS communication echo | openssl s_client -showcerts -connect flee-dc1.fabian.lee:636
If netcat and openssl above properly connect, then the issue is most likely that a non-public root CA certificate is being used.
The root CA is not returned as part of the TLS exchange, so if the CA is not public then you will need the Windows IT Administrator to provide it to you. Modify ldap.conf so it can utilize the CA cert:
# copy DC root CA certificate to /etc/ssl/certs sudo cp myCA.pem /etc/ssl/certs/myCA.pem # modify these two settings in ldap.conf sudo vi /etc/ldap/ldap.conf TLS_REQCERT demand TLS_CACERT /etc/ssl/certs/myCA.pem
There is no need to restart any services or reload system certificates. You should be able to run the original query using ldapsearch on the secure port and get the proper communication now.
ldapsearch -LLL -H ldaps://flee-dc1.fabian.lee:636 -D ldapsvcaccount -w "svcaccountP4ss!" -b CN=Users,DC=FABIAN,DC=LEE -s sub "cn=ldapsvcaccount" dn
If you don’t want to modify the ldap.conf file, you can also specify the CA certificate path as an environment variable.
LDAPTLS_CACERT=/etc/ssl/certs/myCA.pem ldapsearch -LLL -H ldaps://flee-dc1.fabian.lee:636 -D ldapsvcaccount -w "svcaccountP4ss!" -b CN=Users,DC=FABIAN,DC=LEE -s sub "cn=ldapsvcaccount" dn
REFERENCES
github fabianlee, create or get CA cert from Windows DC using powershell
NOTES
The binding user “-D” can be just the id or a full DN specification.
ldapsearch -LLL -H ldaps://flee-dc1.fabian.lee:636 -D "CN=ldapsvcaccount,CN=Users,CN=Users,DC=FABIAN,DC=LEE" -w "svcaccountP4ss!" -b CN=Users,DC=FABIAN,DC=LEE -s sub "cn=ldapsvcaccount" dn
ldapsearch needs the CA cert in pem format (not binary DER), if conversion is necessary use openssl.
openssl x509 -in myCA.der -inform DER -out myCA.pem