Question & Answer
Question
How can the LDAP monitor be configured to connect to an LDAP server using a secure socket?
Answer
Here is an example of an LDAP monitor configuraion using SSL.
NOTE: Version 7.4 Fix pack 1 or later is required to implement this method.
In earlier versions, the 'verifycertificate' parameter is not available.
1. Develop a working search
Use ldapsearch to develop the command that will be used by the LDAP monitor.
For example:
[root@nc9053114114 ITM]# ldapsearch -h hulkster -D cn=root -w ***** -b "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us" -s base objectClass=*
# extended LDIF
#
# LDAPv3
# base <cn=Bruce Willman,ou=Level2,o=Tivoli,c=us> with scope baseObject
# filter: objectClass=*
# Bruce Willman, Level2, Tivoli, us
dn: cn=Bruce Willman,ou=Level2,o=Tivoli,c=us
cn: Bruce
cn: Bruce Willman
sn: Willman
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
2. Configure the LDAP element
Start the ISM Configuration GUI, and create an element.
- In the ‘server’ field, enter the host name of the LDAP server (-h parameter)
- In the ‘searchbase’ field, enter the search string (-b parameter)
- In the ‘filter’ field, enter the filter
In the Advanced tab:
- Set the port number that the LDAP server listens on for SSL connections
This value can be found in the LDAP server configuration file, and is 636 in this example.
- Set the ‘username’ and ‘password’ (-D and –w parameters)
- Set ‘authentication type’ to SSL-SIMPLE
- Set ‘verifycertificate’ to Disabled
Set distribution of the profile to an agent, and then save the changes.
The test should show up in the TEP:
Trouble shooting
- Edit <ISM_HOME>/etc/props/ldap.props, and add the line:
MessageLevel : “debug”
- Restart the LDAP monitor:
<ISM_HOME>/bin/ism_startup.sh stop nco_m_ldap
<ISM_HOME>/bin/ism_startup.sh start nco_m_ldap
- Check <ISM_HOME>/log/ldap.log, and there will be tracing:
Tue Jan 5 11:18:21 2016 F57FEB70 Information: Trying connection
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using OpenLDAP Version 2.4.40
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using cyrus-sasl Version 2.1.26
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: SSL requested - URI is ldaps://hulkster.tivlab.austin.ibm.com:636/
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Initialisation complete
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Creating SSL context for v2 and v3
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL context established successfully
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: No certificate file
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: No private key file
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL context setup succeeded
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Created New SSL Context 0xCE84D878
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: LDAPv3 selected
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Binding attempt with plaintext or SSL-tunneled plaintext password, ldap_p=-199225272
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Configuring Certificate Verification: Disabled
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL info: cert:[] key:[] pass:[] auth:[0] trust_file:[/opt/IBM/ITM/lx8263/is/certificates/trust.pem] trust_path:[/opt/IBM/ITM/lx8263/is/certificates/]
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Disabling Certificate Verification Using Context=0xCE84D878
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL Disable args SSLV2=1 SSLV3=1, TLS=0
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL disabling SSLv2
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL disabling SSLv3
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL set options = 0x83000BFF
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using cipher suite: 'AES:3DES:DES:!EXP:!DHE:!EDH'
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Ldap handle on failure was -199225272
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Getting results of bind, timeout is 30, msgid is 1 ...
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind status is: 97
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind result from ldap_parse_result is: 0 with message type 0
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Async bind results returned from server
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind to LDAP server complete
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Attempting search ...
…
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(profile) -> "LDAPMonitor"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(datalogpath) -> "ldaphulkster_tivlab_austin_ibm_com_636_cn_Bruce_Willman_ou_Level2_o_Tivoli_c_us_guicli_1427210814415_6683_720d"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(host) -> "hulkster.tivlab.austin.ibm.com"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(timeout) -> "30"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(pollInterval) -> "300"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(description) -> "LDAP hulkster.tivlab.austin.ibm.com element."
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(failureRetests) -> "0"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(failureRetestInterval) -> "10"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(identchecksum) -> "guicli_1427210814415_6683_720d"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(startTimePoll) -> "1452010701"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(service) -> "LDAP"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(port) -> "636"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(distinguishedName) -> "cn=root"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(searchBase) -> "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(filter) -> "objectclass=*"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(authentication) -> "SSL-SIMPLE"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(initTime) -> "0.00040"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(message) -> "Search successful"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(connectTime) -> "0.01242"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(dnMatched) -> "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass) -> "top"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass2) -> "person"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass3) -> "organizationalPerson"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass4) -> "inetOrgPerson"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass5) -> "ePerson"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(cn) -> "Bruce"
Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(cn2) -> "Bruce Willman"
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21974294