Some systems cannot connect to ldap via ldaps, but others can, is it the wildcard cert?

ssl-certificate ldap edirectory

97,299

Solution 1

ldapsearch is looking in /etc/openldap/cacerts for its store of trusted CA certificates, and that apparently is not set up, and thus it is rejecting the certificate since it can't construct a trust chain for it. If ldapsearch were using OpenSSL, it would need a "hashdir" format collection as produced by e.g. the Red Hat "authconfig" program, or a single file with a flat list of trusted certificates. The reference here to "moznss" suggests that this ldapsearch is built against Mozilla NSS, in which case you need to use "certutil" to make the cert db (or better, point it at the system NSS certificate store, if there is one).

On the systems where it's working ldapsearch must have a working certificate store, perhaps because those OpenLDAP packages are built against OpenSSL instead (or maybe there's a working NSS-style store available there).

Solution 2

ldapsearch will say "Can't contact LDAP server" if it can't verify the TLS certificate. Add -d1 to your ldapsearch command, and check the output lines that begin with "TLS:" to get more information about whether the TLS connection is failing and why.

Solution 3

Solution depends on your installation:

If you are using a non valid cert, you can force accept it configuring /etc/openldap/ldap.conf with
```
TLS_REQCERT allow
```
or
```
TLS_REQCERT never
```
If you are using a valid cert probably your ldap instalation don't know where store of trusted CA certificates is (probably depending on your OpenSSL installation). Then you can try to set it location and force check configuring /etc/openldap/ldap.conf with
```
TLS_CACERT /etc/openldap/cacert
TLS_REQCERT demand
```
/etc/openldap/cacert can be this or be located in any path. It must contain certificate chain of your CA. It can be a single file with a flat list of trusted certificates.

Note paths depends on ldap provider. It could be /etc/ldap or /etc/openldap or so.

97,299

David R.

Updated on September 18, 2022

Comments

David R. almost 2 years
When trying to make ldaps connections to my Novel eDirectory 8.8 server, sometimes I have to put TLS_REQCERT never in the client servers ldap.conf file. Obviously, this is a bad idea.

The command I run is something like this with credentials that actually work...
```
ldapsearch -x -H ldaps://ldapserver -b 'ou=active,ou=people,dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -W "cn=username"
```
On Ubuntu 13.10, it works fine.

On SLES it works fine.

On CentOS 6.5 it returns:
```
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
```
Now, the cert I've imported is a wildcard cert purchased from DigiCert. My coworker found some reports indicating that some systems have issues with wildcards.

So, is the wildcard cert to blame? If so, how do I fix it?

If it is not the wildcard cert, then what is it?

Following Andrew Schulman's suggestion, I added -d1 to my ldapsearch command. Here is what I ended up with:
```
ldap_url_parse_ext(ldaps://ldap.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.org:636/??base)
Enter LDAP Password: 
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.225.0.24:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
```
From what that says, CentOS doesn't trust DigiCert? Or CentOS doesn't have a list of trusted issuers?
- Richard E. Silverman over 10 years
  
  "Can't contact LDAP server" sounds more like the server is simply not reachable from that client machine. Have you checked first that you can in fact connect to it? E.g. telnet ldapserver ldaps or openssl s_client -connect ldapserver:636.
- David R. over 10 years
  
  Yes, I have confirmed that it can connect to the server. After all, it would never work at all if it couldn't connect at all.
- Richard E. Silverman over 10 years
  
  You mentioned three different client hosts. The one which is not working might have been unable to connect due to a networking issue while the others could.
- David R. over 10 years
  
  I thought my post was pretty clear that I was editing the ldap.conf file on all hosts. As in when I added the line to file, it worked, but without the line it didn't. Thus, not a connection issue.
- nit17 over 10 years
  
  "TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found." Have you checked the existence/permissions of /etc/openldap/cacerts?
David R. over 10 years

I edited my question in response to your suggestion. Thanks!
David R. over 10 years

Ah. /etc/openldap/certs is where the cert store is. Not cacerts. In /etc/openldap/ldap.conf I changed TLS_CACERTDIR /etc/openldap/cacerts to TLS_CACERTDIR /etc/openldap/certs and my ldapsearch command started working. Thanks!
vcardillo about 7 years

I have ldapsearch installed on Ubuntu 16.04, and there's no /etc/openldap directory.