LX0-104 · Question #189
Which of the following procedures will test the TLS configuration of your LDAP server?
The correct answer is A. Run the ldapsearch command with the -ZZ option, while watching network traffic with a packet analyzer.. To test an LDAP server's TLS configuration, execute ldapsearch with the -ZZ option to force StartTLS, and simultaneously monitor network traffic with a packet analyzer to confirm TLS negotiation and encrypted communication.
Question
Options
- ARun the ldapsearch command with the -ZZ option, while watching network traffic with a packet analyzer.
- BRun the ldapsearch command with the -x option, while watching network traffic with a packet analyzer.
- CRun the slapcat command, while watching network traffic with a packet analyzer.
- DVerify the TLS negotiation process in the /var/log/ldap_auth.log file.
- EVerify the TLS negotiation process in the /var/log/auth.log file.
How the community answered
(29 responses)- A76% (22)
- B14% (4)
- D7% (2)
- E3% (1)
Why each option
To test an LDAP server's TLS configuration, execute `ldapsearch` with the `-ZZ` option to force StartTLS, and simultaneously monitor network traffic with a packet analyzer to confirm TLS negotiation and encrypted communication.
The ldapsearch -ZZ option explicitly forces the use of the StartTLS extended operation, which upgrades an insecure LDAP connection to a secure TLS connection. Watching network traffic with a packet analyzer (like Wireshark) during this operation allows you to observe the TLS handshake and verify that the LDAP communication payload is encrypted, confirming the TLS configuration works.
The ldapsearch -x option specifies simple authentication, which is orthogonal to TLS; it does not force or test TLS negotiation.
The slapcat command is used to output the entire LDAP directory content to standard output; it does not involve network communication with the server and therefore cannot test TLS configuration.
While ldap_auth.log might contain some authentication-related messages, it is not a standard log file for detailed TLS negotiation processes; OpenLDAP server logs or client debug logs would be more appropriate, but direct network observation is definitive.
/var/log/auth.log primarily logs authentication attempts for various services, not detailed TLS negotiation specific to an LDAP server.
Concept tested: LDAP TLS configuration testing
Source: https://www.openldap.org/doc/admin24/security.html
Topics
Community Discussion
No community discussion yet for this question.