HP-UX Directory Server 8.1 configuration, command, and file reference

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

191

192

193

194

195

196

197

198

199

200

In addition to the standard options to the ldapsearch command, such as the base (-b), scope

(-s), and filter, the following options are required to run an ldapsearch command using SSL:

• -p with the Directory Server secure port

• -Z to specify to use SSL (or, alternatively, -ZZ or -ZZZ to specify Start TLS)

• -P to give certificate database's file name and path

• -N to give the SSL certificate name

• -K to specify the private key database's file name and path

• -W to give the password to the private key database

Table 6-5 Additional SSL ldapsearch options

DescriptionOption

Specifies that host names should be checked in SSL certificates.

-3

Specifies the SSL key password file that contains the token:password pair.-I

Specifies the absolute path, including the file name, of the private key database of the client.

The -K option must be specified when the key database has a different name than key3.db or when

the key database is not under the same directory as the certificate database, the cert8.db file (the

path which is specified with the -P option).

-K

Specifies the path to the security module database, such as

/etc/opt/dirsrv/slapd-instance_name/secmod.db. This option only need to be given if

the security module database is in a different directory than the certificate database itself.

-m

Specifies the certificate name to use for certificate-based client authentication, such as -N

"Server-Cert". If this option is specified, then the -Z, -P, and -W options are required. Also, if

this option is specified, then the -D and -w options must not be specified, or certificate-based

authentication will not occur, and the bind operation will use the authentication credentials specified

on -D and -w.

-N

Specifies the absolute path, including the option, of the certificate database of the client. This option

is used only with the -Z option.

When used on a machine where an SSL-enabled web browser is configured, the path specified on

this option can be that of the certificate database for the browser. For example:

-P /security/cert.db

The client security files can also be stored on the Directory Server in the

/etc/opt/dirsrv/slapd-instance_name directory. In this case, the -P option would call out

a path and file name similar to the following:

-P /etc/opt/dirsrv/slapd-instance_name/client-cert.db

-P

Specifies the token and certificate name, which is separated by a semi-colon (:) for PKCS11.-Q

Specifies the password for the private key database identified in the -P option. For example:

-W secret

If a dash (-) is used as the password value, the utility promptes for the password after the command

is entered. This avoids having the password on the command line.

-W

Specifies that SSL is to be used for the search request.

-Z

Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If

the server does not support Start TLS, the command does not have to be aborted; it will continue

in cleartext.

-ZZ

Enforces the Start TLS request. The server must respond that the request was successful. If the server

does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect,

the command is aborted immediately.

-ZZZ

6.4.5 ldapsearch SASL options

SASL mechanisms can be used to authenticate a user, using the -o the required SASL information.

6.4 ldapsearch 193