Connect to LDAP server from Windows client via SSL

2015/09/14

Categories: infraštruktúra Tags: LDAP

Connecting to LDAP server with SSL via client side may be difficult due to Windows peculiarities. How to ldapmodify the data?

Retrieve server certificate

Locate the server certificate on the server in:

secure/certs/server.pem 

Extract the parts between and including

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Store the certificate to the client machine to the c:/etc/ldap/server.pem.

Prepare client certificate

Create c:/etc/ldap/ldap.conf with the following contents:

TLS_CACERT c:/etc/ldap/server.pem

Set the location of client configuration file

SET LDAPCONF=c:/etc/ldap/ldap.conf

Fixing CN and hostname mismatch

Connection to the LDAP server will positively fail due to certificate mismatch:

ldap_start_tls: Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match CN in peer certificate
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Analyzing certificate in server.pem leads to:

Either recreate server certificates to match the host name or resolve hostname to development on the client machine.

Add the following line to c:\Windows\System32\drivers\etc\hosts:

127.0.0.1 development

Setup is now complete.

Import data

Import the data

ldapmodify.exe -a -f sample.ldif -d 1 -x -D "cn=root,dc=mydomain,dc=com" -w iamroot -Z -H ldaps://development
>> Home