ldapsearch over ldaps

Just a brief note because I needed this syntax today and couldn’t recall it.

ldapsearch -x -H ldaps://ldap.example.com -b "" -s base "objectclass=*"

This will either return the root DSE (directory Server Entry — the logical top of the LDAP tree) for the directory… or it won’t :-) Most directories make the root DSE accessible to anyone, so there should not be an authentication problem.

Here’s what the top of a clean response looks like:

ldap_initialize( ldaps://ldap.example.com )
filter: objectclass=*
requesting: All userApplication attributes
# extended LDIF
# LDAPv3
# base  with scope baseObject
# filter: objectclass=*
# requesting: ALL
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=example,dc=com
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4

If you get something like this:

ldap_initialize( ldaps://testoid.example.com )
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

then you’re probably going against an OID (Oracle Internet Directory) node or nodes, which doesn’t “play by the rules” that the rest of the LDAP universe does. When it comes to OID, you’re basically going to be restricted to using Oracle’s proprietary tools to test this (for example, their ldapbind utility). Heaven help you if you’re trying to integrate with other LDAP-aware applications or devices that don’t have a specific “Do it Larry’s way” setting.

Note: The ldap-ping.pl and Net::LDAPS perl module (which ldap-ping.pl uses) are able to handle Oracle’s special way of doing things and so may be helpful tools to have alongside Oracle’s. Of course the only drawback is that to run these perl based tools you’ll need to have all the prerequisite modules installed.