TLS trace: SSL_connect:error in SSLv2/v3 read server hello A

centos ssl ldap openldap
5,738

By changing the port to 3269, it seems you are now connecting to the LDAPS server, which is good. However, the authentication piece isn't completing. You can tell that from this error

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>

You need to specify either -w passwd or -W (which will prompt for a password).

The other thing I found necessary was to specify a search base (-b option).

A complete command which worked here:

ldapsearch -x -LLL -d 1 \
  -D cn=user1,cn=users,dc=fj,dc=test -W \
  -H ldaps://winders.fj.test:3269 \
  -b dc=fj,dc=test \
  cn=user1
Share:
5,738
ImranRazaKhan
Author by

ImranRazaKhan

Updated on September 18, 2022

Comments

  • ImranRazaKhan
    ImranRazaKhan over 1 year

    I am trying to query AD for users and tried every options available but no success

    Operating System = CentoS7.5 Packages = Openldap, ldapsearch Microsoft Active Directory

    my command

    ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=abc,dc=local" -H "ldaps://xxxx:3268" "uid=abc" -d 1

    Following is debug trace

    ldap_url_parse_ext(ldaps://xxxx:3268)
ldap_create
ldap_url_parse_ext(ldaps://xxxx:3268/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxxx:3268
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3268
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    I tried by changing values in /etc/openldap/ldap.conf

    First added 

    TLS_REQCERT never

    then

    TLS_REQCERT allow

    then set below as mentioned here but no success

    ldap ssl v2 v3 can't read server hallo A

    TLS_PROTOCOL_MIN 3.3

    Rebooted my server too but no success.

    if i run with debug level d 2, last lines are like

    tls_read: want=7 error=Connection reset by peer
TLS: can't connect: .
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    my only intentions is to run ldapsearch

    EDIT:

    as suggested @fission i changed port and Now i am getting below

    >> cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=abc,dc=local
URI     ldaps://xxx:3269

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs
#HOST you-adc1
#PORT 3268
TLS_REQCERT never

#TLS_PROTOCOL_MIN 3.3

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

    Trace:

    [root@x ~]# ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=xyz,dc=local" -H "ldaps://xxx:3269" "uid=abc" -d 1
ldap_url_parse_ext(ldaps://xxx:3269)
ldap_create
ldap_url_parse_ext(ldaps://xxx:3269/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `(null)'.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: , issuer: /DC=local/DC=xxx/CN=xxx-root-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 76 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid 1
wait4msg ld 0x559d9b078a70 msgid 1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid 1 all 1
** ld 0x559d9b078a70 Connections:
* host: xxx  port: 3269  (default)
  refcnt: 2  status: Connected
  last used: Sat Oct 20 16:46:31 2018


** ld 0x559d9b078a70 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
   Empty
  ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid 1 all 1
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x559d9b078a70 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg:  mark request completed, ld 0x559d9b078a70 msgid 1
request done: ld 0x559d9b078a70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "uid=abc"
put_filter: default
put_simple_filter: "uid=abc"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 70 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid -1
wait4msg ld 0x559d9b078a70 msgid -1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid -1 all 0
** ld 0x559d9b078a70 Connections:
* host: xxx  port: 3269  (default)
  refcnt: 2  status: Connected
  last used: Sat Oct 20 16:46:31 2018


** ld 0x559d9b078a70 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
   Empty
  ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid -1 all 0
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 168 contents:
read1msg: ld 0x559d9b078a70 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg:  mark request completed, ld 0x559d9b078a70 msgid 2
request done: ld 0x559d9b078a70 msgid 2
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
    • fission
      fission over 5 years
      Just wondering, did you try using port 3269? Normally if doing “direct” SSL (instead of STARTTLS) you should use port 3269.
    • ImranRazaKhan
      ImranRazaKhan over 5 years
      @fission as suggested i change port and now getting error (trace is in main) ldap_err2string Operations error (1)
  • ImranRazaKhan
    ImranRazaKhan over 5 years
    thanks its working now, previously i tried with -b too but port changing helps.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Python ldap3 LDAPSocketOpenError unable to send message, socket is not open
ldap_modify: No such object (32)
Slaptest, bad configuration file
Getting CentOS 6 to trust a certificate from AD
could not stat config file “slapd.conf” to add entries to LDAP
How to enable TLS on OpenLDAP
Setup a openldap proxy to another LDAP server on centos 6
Getting the LDAP password from the LDAP Directory
LDAP user authentication on CentOS 7: Permission denied
Persuading openldap to work with SSL on Ubuntu with cn=config