In addition to the standard options to the ldapsearch command, such as the base (-b), scope (-s), and filter, the following options are required to run an ldapsearch command using SSL:

-pwith the Directory Server secure port

-Zto specify to use SSL (or, alternatively, -ZZor -ZZZto specify Start TLS)

-Pto give certificate database's file name and path

-Nto give the SSL certificate name

-Kto specify the private key database's file name and path

-Wto give the password to the private key database

Table 6-5 Additional SSL ldapsearch options

Option

Description

-3

Specifies that host names should be checked in SSL certificates.

-I

Specifies the SSL key password file that contains the token:password pair.

-K

Specifies the absolute path, including the file name, of the private key database of the client.

 

The -Koption must be specified when the key database has a different name than key3.db or when

 

the key database is not under the same directory as the certificate database, the cert8.db file (the

 

path which is specified with the -Poption).

-m

Specifies the path to the security module database, such as

 

/etc/opt/dirsrv/slapd-instance_name/secmod.db. This option only need to be given if

 

the security module database is in a different directory than the certificate database itself.

-N

Specifies the certificate name to use for certificate-based client authentication, such as -N

 

"Server-Cert". If this option is specified, then the -Z, -P, and -Woptions are required. Also, if

 

this option is specified, then the -Dand -woptions must not be specified, or certificate-based

 

authentication will not occur, and the bind operation will use the authentication credentials specified

 

on -Dand -w.

-P

Specifies the absolute path, including the option, of the certificate database of the client. This option

 

is used only with the -Zoption.

 

When used on a machine where an SSL-enabled web browser is configured, the path specified on

 

this option can be that of the certificate database for the browser. For example:

 

-P /security/cert.db

 

The client security files can also be stored on the Directory Server in the

 

/etc/opt/dirsrv/slapd-instance_namedirectory. In this case, the -Poption would call out

 

a path and file name similar to the following:

 

-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db

-Q

Specifies the token and certificate name, which is separated by a semi-colon (:) for PKCS11.

-W

Specifies the password for the private key database identified in the -Poption. For example:

 

-W secret

 

If a dash (-) is used as the password value, the utility promptes for the password after the command

 

is entered. This avoids having the password on the command line.

-Z

Specifies that SSL is to be used for the search request.

-ZZ

Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If

 

the server does not support Start TLS, the command does not have to be aborted; it will continue

 

in cleartext.

-ZZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server

 

does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,

 

the command is aborted immediately.

6.4.5 ldapsearch SASL options

SASL mechanisms can be used to authenticate a user, using the -othe required SASL information.

6.4 ldapsearch 193

Page 193
Image 193
HP UX Identity Security Software manual Ldapsearch Sasl options, Additional SSL ldapsearch options