2

I'm a little lost with ldapsearch... I have to configure a cloud with AD authentication.

this is working well

 ldapsearch -h server -p 389 -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com'

But i want to make some security and so i try ldaps.

This is working : 

> ldapsearch -H ldaps://server -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com'

And this too : 

> ldapsearch -H ldaps://server:636 -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com'

But this doesn't work. 

ldapsearch -h server -p 636 -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com' -v
ldap_initialize( ldap://srv-dc01.get.com:636 )
ldap_result: Can't contact LDAP server (-1)

I don't know what's going on. And the cloud want an URL and not an URI. Other question, is it possible to block ldap and let ldaps working?

OS : Linux CentOS 7 with selinux Enforced DC is on server 2008 R2.

Thank you very much. Regards, Alexandre

Alex Lum
  • 125
  • 1
  • 4
  • 13

2 Answers2

1

UPDATE:

From this page it appears that

The fully-qualified domain name is always required with the -h option. This prevents man-in-the-middle attacks.

and that:

Although using the ldaps protocol is supported, it is deprecated.

More, from man ldapsearch:

-h: Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.

To allow only secure connections, have a look here, or another easy solution is an iptable rule:

iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A INPUT  -p tcp --destination-port 389  -j DROP
Community
  • 1
ColOfAbRiX
  • 980
  • 2
  • 11
  • 22
0

Thank you, i tried with -Z and -ZZ.

 ldapsearch -h server -p 636 -x -D 'admin.test' -w 'xxx' -b cn=admin.test,cn=users,dc=domain,dc=com' -v -Z
ldap_initialize( ldap://server.domain.com:636 )
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

With -ZZ, same error message without ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

You're right, this command does not start the good protocol. Is there a way to force this?

Alex Lum
  • 125
  • 1
  • 4
  • 13
  • I found someone that had your same problem, but the answer doesn't tell why: http://serverfault.com/questions/506527/ldapsearch-with-ssl-centos-ldap-start-tls-ldap-bind-cannot-contact-ldap Anyway I think you can comment on other's answers – ColOfAbRiX May 01 '15 at 14:51