TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
By changing the port to 3269, it seems you are now connecting to the LDAPS server, which is good. However, the authentication piece isn't completing. You can tell that from this error
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>
You need to specify either -w passwd
or -W
(which will prompt for a password).
The other thing I found necessary was to specify a search base (-b
option).
A complete command which worked here:
ldapsearch -x -LLL -d 1 \
-D cn=user1,cn=users,dc=fj,dc=test -W \
-H ldaps://winders.fj.test:3269 \
-b dc=fj,dc=test \
cn=user1
ImranRazaKhan
Updated on September 18, 2022Comments
-
ImranRazaKhan over 1 year
I am trying to query AD for users and tried every options available but no success
Operating System = CentoS7.5 Packages = Openldap, ldapsearch Microsoft Active Directory
my command
ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=abc,dc=local" -H "ldaps://xxxx:3268" "uid=abc" -d 1
Following is debug trace
ldap_url_parse_ext(ldaps://xxxx:3268) ldap_create ldap_url_parse_ext(ldaps://xxxx:3268/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP xxxx:3268 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying x.x.x.x:3268 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66'. tlsmc_convert: INFO: using the existing PEM dir. tlsmc_convert: WARN: extracted cert file is not present. tlsmc_convert: WARN: extracted key file is not present. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66/cacerts' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I tried by changing values in /etc/openldap/ldap.conf
First added
TLS_REQCERT never
then
TLS_REQCERT allow
then set below as mentioned here but no success
ldap ssl v2 v3 can't read server hallo A
TLS_PROTOCOL_MIN 3.3
Rebooted my server too but no success.
if i run with debug level d 2, last lines are like
tls_read: want=7 error=Connection reset by peer TLS: can't connect: . ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
my only intentions is to run ldapsearch
EDIT:
as suggested @fission i changed port and Now i am getting below
>> cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=abc,dc=local URI ldaps://xxx:3269 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERTDIR /etc/openldap/certs #HOST you-adc1 #PORT 3268 TLS_REQCERT never #TLS_PROTOCOL_MIN 3.3 # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
Trace:
[root@x ~]# ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=xyz,dc=local" -H "ldaps://xxx:3269" "uid=abc" -d 1 ldap_url_parse_ext(ldaps://xxx:3269) ldap_create ldap_url_parse_ext(ldaps://xxx:3269/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP xxx:3269 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying x.x.x.x:3269 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `(null)' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `(null)'. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `(null)' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: , issuer: /DC=local/DC=xxx/CN=xxx-root-CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 76 bytes to sd 3 ldap_result ld 0x559d9b078a70 msgid 1 wait4msg ld 0x559d9b078a70 msgid 1 (infinite timeout) wait4msg continue ld 0x559d9b078a70 msgid 1 all 1 ** ld 0x559d9b078a70 Connections: * host: xxx port: 3269 (default) refcnt: 2 status: Connected last used: Sat Oct 20 16:46:31 2018 ** ld 0x559d9b078a70 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x559d9b078a70 request count 1 (abandoned 0) ** ld 0x559d9b078a70 Response Queue: Empty ld 0x559d9b078a70 response count 0 ldap_chkResponseList ld 0x559d9b078a70 msgid 1 all 1 ldap_chkResponseList returns ld 0x559d9b078a70 NULL ldap_int_select read1msg: ld 0x559d9b078a70 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x559d9b078a70 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x559d9b078a70 0 new referrals read1msg: mark request completed, ld 0x559d9b078a70 msgid 1 request done: ld 0x559d9b078a70 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "uid=abc" put_filter: default put_simple_filter: "uid=abc" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 70 bytes to sd 3 ldap_result ld 0x559d9b078a70 msgid -1 wait4msg ld 0x559d9b078a70 msgid -1 (infinite timeout) wait4msg continue ld 0x559d9b078a70 msgid -1 all 0 ** ld 0x559d9b078a70 Connections: * host: xxx port: 3269 (default) refcnt: 2 status: Connected last used: Sat Oct 20 16:46:31 2018 ** ld 0x559d9b078a70 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x559d9b078a70 request count 1 (abandoned 0) ** ld 0x559d9b078a70 Response Queue: Empty ld 0x559d9b078a70 response count 0 ldap_chkResponseList ld 0x559d9b078a70 msgid -1 all 0 ldap_chkResponseList returns ld 0x559d9b078a70 NULL ldap_int_select read1msg: ld 0x559d9b078a70 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 168 contents: read1msg: ld 0x559d9b078a70 msgid 2 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x559d9b078a70 0 new referrals read1msg: mark request completed, ld 0x559d9b078a70 msgid 2 request done: ld 0x559d9b078a70 msgid 2 res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_err2string Operations error (1) Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed
-
fission over 5 yearsJust wondering, did you try using port 3269? Normally if doing “direct” SSL (instead of
STARTTLS
) you should use port 3269. -
ImranRazaKhan over 5 years@fission as suggested i change port and now getting error (trace is in main) ldap_err2string Operations error (1)
-
-
ImranRazaKhan over 5 yearsthanks its working now, previously i tried with -b too but port changing helps.