Micro Focus eDirectory – Decoding TLS/LDAP Packet Trace Using Wireshark
This document’s steps are specific to NetIQ/Micro Focus eDirectory’s LDAP however, the concepts can be used on other LDAP servers. This was tested with RSA keys.
WARNING: Because the private key is required, we highly recommend caution in performing these steps. Keep the process internal and delete the private key afterward. Security should be at the forefront and internal processes should be used to delete sensitive data.
1) Use tcpdump on the Linux IDM server to start the packet trace. If this is a Windows Server running eDirectory, use Wireshark to gather the packet trace. When ready, run the below command and then ctlr-c the process and confirm the file is written out once the operation to be captured has completed.
7) click analyze | decode as | + button to add | Field column set to TLS Port and set the current column to LDAP and choose Save. If it disappears, click add and select it again and then choose OK.
The data should now be decoded.
We hope this process helps in the event you run into an issue where your LDAP server isn’t adequately logging events.