Some systems cannot connect to ldap via ldaps, but others can, is it the wildcard cert?
Solution 1
ldapsearch is looking in /etc/openldap/cacerts for its store of trusted CA certificates, and that apparently is not set up, and thus it is rejecting the certificate since it can't construct a trust chain for it. If ldapsearch were using OpenSSL, it would need a "hashdir" format collection as produced by e.g. the Red Hat "authconfig" program, or a single file with a flat list of trusted certificates. The reference here to "moznss" suggests that this ldapsearch is built against Mozilla NSS, in which case you need to use "certutil" to make the cert db (or better, point it at the system NSS certificate store, if there is one).
On the systems where it's working ldapsearch must have a working certificate store, perhaps because those OpenLDAP packages are built against OpenSSL instead (or maybe there's a working NSS-style store available there).
Solution 2
ldapsearch will say "Can't contact LDAP server" if it can't verify the TLS certificate. Add -d1
to your ldapsearch command, and check the output lines that begin with "TLS:" to get more information about whether the TLS connection is failing and why.
Solution 3
Solution depends on your installation:
If you are using a non valid cert, you can force accept it configuring
/etc/openldap/ldap.conf
withTLS_REQCERT allow
or
TLS_REQCERT never
If you are using a valid cert probably your ldap instalation don't know where store of trusted CA certificates is (probably depending on your OpenSSL installation). Then you can try to set it location and force check configuring
/etc/openldap/ldap.conf
withTLS_CACERT /etc/openldap/cacert TLS_REQCERT demand
/etc/openldap/cacert
can be this or be located in any path. It must contain certificate chain of your CA. It can be a single file with a flat list of trusted certificates.
Note paths depends on ldap provider. It could be /etc/ldap
or /etc/openldap
or so.
Related videos on Youtube
David R.
Updated on September 18, 2022Comments
-
David R. almost 2 years
When trying to make ldaps connections to my Novel eDirectory 8.8 server, sometimes I have to put
TLS_REQCERT never
in the client servers ldap.conf file. Obviously, this is a bad idea.The command I run is something like this with credentials that actually work...
ldapsearch -x -H ldaps://ldapserver -b 'ou=active,ou=people,dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -W "cn=username"
On Ubuntu 13.10, it works fine.
On SLES it works fine.
On CentOS 6.5 it returns:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Now, the cert I've imported is a wildcard cert purchased from DigiCert. My coworker found some reports indicating that some systems have issues with wildcards.
So, is the wildcard cert to blame? If so, how do I fix it?
If it is not the wildcard cert, then what is it?
Following Andrew Schulman's suggestion, I added
-d1
to my ldapsearch command. Here is what I ended up with:ldap_url_parse_ext(ldaps://ldap.example.org) ldap_create ldap_url_parse_ext(ldaps://ldap.example.org:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.example.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.225.0.24:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error. TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found. TLS: certificate [CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 2 - moznss error -8172 TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From what that says, CentOS doesn't trust DigiCert? Or CentOS doesn't have a list of trusted issuers?
-
Richard E. Silverman over 10 years"Can't contact LDAP server" sounds more like the server is simply not reachable from that client machine. Have you checked first that you can in fact connect to it? E.g.
telnet ldapserver ldaps
oropenssl s_client -connect ldapserver:636
. -
David R. over 10 yearsYes, I have confirmed that it can connect to the server. After all, it would never work at all if it couldn't connect at all.
-
Richard E. Silverman over 10 yearsYou mentioned three different client hosts. The one which is not working might have been unable to connect due to a networking issue while the others could.
-
David R. over 10 yearsI thought my post was pretty clear that I was editing the ldap.conf file on all hosts. As in when I added the line to file, it worked, but without the line it didn't. Thus, not a connection issue.
-
nit17 over 10 years"TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found." Have you checked the existence/permissions of /etc/openldap/cacerts?
-
-
David R. over 10 yearsI edited my question in response to your suggestion. Thanks!
-
David R. over 10 yearsAh.
/etc/openldap/certs
is where the cert store is. Not cacerts. In /etc/openldap/ldap.conf I changedTLS_CACERTDIR /etc/openldap/cacerts
toTLS_CACERTDIR /etc/openldap/certs
and my ldapsearch command started working. Thanks! -
vcardillo about 7 yearsI have ldapsearch installed on Ubuntu 16.04, and there's no /etc/openldap directory.