Hi, I'm trying to use ldapsearch to do some tests, lets say the testing ldap server host is: ldap.forumsys.com , test 1: if I run: ldapsearch -h ldap.forumsys.com -p 389 -b "" -s base "(objectClass=*)" -D "cn=read-only-admin,dc=example,dc=com" -w password it seems successful, but if I add ssl flag, like run: ldapsearch -h ldap.forumsys.com -p 389 -b "" -s base "(objectClass=*)" -D "cn=read-only-admin,dc=example,dc=com" -w password -Z I got error: ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_result: Can't contact LDAP server (-1)
if I run: ldapsearch -h ldap.forumsys.com -p 636 -b "" -s base "(objectClass=*)" -D "cn=read-only-admin,dc=example,dc=com" -w password -Z I got error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) so how can I do a search with ssl? test 2: this is about SASL authentication. Lets say the SASL mech is DIGEST-MD5, or EXTERNAL, or GSSAPI, what ldapsearch command should I run? I tried many, it did not work.
Thanks!
Peter Sui
--On Tuesday, December 31, 2019 10:44 AM -0500 Peter Sui peters@qnext.com wrote:
if I run: ldapsearch -h ldap.forumsys.com -p 636 -b "" -s base "(objectClass=*)" -D "cn=read-only-admin,dc=example,dc=com" -w password -Z
It is not valid to combine startTLS with port 636. Also, you should update your options to match modern standards.
Example against ldaps:///
ldapsearch -H ldaps://ldap.forumsys.com:636
as opposed to
ldapsearch -h ldap.forumsys.com -p 636
Example against ldap:///
ldapsearch -H ldap://ldap.forumsys.com:389
as opposed to
ldapsearch -h ldap.forumsys.com -p 389
I would note that the -Z(Z) options are for startTLS (generally against port 389). It is not valid to mix startTLS with ldaps:// URIs. You've not provided any useful information about your setup, so it's not possible to give you much help past that.
As for your SASL question, as documented in the ldapsearch man page, you provide the SASL Mech as a parameter to the -Y option. For example:
ldapsearch -Y GSSAPI -H ldap://ldap.forumsys.com:389
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Peter Sui -
Quanah Gibson-Mount