nerdexam
CompTIA

LX0-104 · Question #189

Which of the following procedures will test the TLS configuration of your LDAP server?

The correct answer is A. Run the ldapsearch command with the -ZZ option, while watching network traffic with a packet analyzer.. To test an LDAP server's TLS configuration, execute ldapsearch with the -ZZ option to force StartTLS, and simultaneously monitor network traffic with a packet analyzer to confirm TLS negotiation and encrypted communication.

Security

Question

Which of the following procedures will test the TLS configuration of your LDAP server?

Options

  • ARun the ldapsearch command with the -ZZ option, while watching network traffic with a packet analyzer.
  • BRun the ldapsearch command with the -x option, while watching network traffic with a packet analyzer.
  • CRun the slapcat command, while watching network traffic with a packet analyzer.
  • DVerify the TLS negotiation process in the /var/log/ldap_auth.log file.
  • EVerify the TLS negotiation process in the /var/log/auth.log file.

How the community answered

(29 responses)
  • A
    76% (22)
  • B
    14% (4)
  • D
    7% (2)
  • E
    3% (1)

Why each option

To test an LDAP server's TLS configuration, execute `ldapsearch` with the `-ZZ` option to force StartTLS, and simultaneously monitor network traffic with a packet analyzer to confirm TLS negotiation and encrypted communication.

ARun the ldapsearch command with the -ZZ option, while watching network traffic with a packet analyzer.Correct

The ldapsearch -ZZ option explicitly forces the use of the StartTLS extended operation, which upgrades an insecure LDAP connection to a secure TLS connection. Watching network traffic with a packet analyzer (like Wireshark) during this operation allows you to observe the TLS handshake and verify that the LDAP communication payload is encrypted, confirming the TLS configuration works.

BRun the ldapsearch command with the -x option, while watching network traffic with a packet analyzer.

The ldapsearch -x option specifies simple authentication, which is orthogonal to TLS; it does not force or test TLS negotiation.

CRun the slapcat command, while watching network traffic with a packet analyzer.

The slapcat command is used to output the entire LDAP directory content to standard output; it does not involve network communication with the server and therefore cannot test TLS configuration.

DVerify the TLS negotiation process in the /var/log/ldap_auth.log file.

While ldap_auth.log might contain some authentication-related messages, it is not a standard log file for detailed TLS negotiation processes; OpenLDAP server logs or client debug logs would be more appropriate, but direct network observation is definitive.

EVerify the TLS negotiation process in the /var/log/auth.log file.

/var/log/auth.log primarily logs authentication attempts for various services, not detailed TLS negotiation specific to an LDAP server.

Concept tested: LDAP TLS configuration testing

Source: https://www.openldap.org/doc/admin24/security.html

Topics

#LDAP#TLS#SSL#ldapsearch#Network security#Troubleshooting

Community Discussion

No community discussion yet for this question.

Full LX0-104 Practice