Which procedure is used to test the TLS configuration of an OpenLDAP server?

The procedure of running the ldapsearch command with the -ZZ option is specifically designed to test the TLS configuration of an OpenLDAP server. This command forces the client to establish a secure connection via TLS and allows you to confirm whether the server is properly configured to handle TLS connections. When using the -ZZ option, the ldapsearch command will attempt to connect over TLS and will fail if the TLS setup is incorrect or if the server is not configured to support it.

By monitoring network traffic during this process, one can gain visibility into the connection attempts and security negotiations taking place. This is useful for debugging and ensuring that the OpenLDAP server is securely configured to accept TLS connections, helping to verify both client and server settings effectively.

The other commands or methods listed would not adequately test the TLS configuration. For instance, using the -x option establishes a simple SASL authentication mechanism which does not engage TLS. The slapcat command is focused on dumping the contents of the LDAP database and does not interact with the TLS layer, which makes it irrelevant for testing TLS specifically. Lastly, reviewing the TLS negotiation in log files may provide insights after the fact, but it does not actively test whether the TLS configuration is functioning properly in real-time.