Menu
I am trying to use ldapsearch over a SSL/TLS connection, but it doesn't work:
ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D "cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -h my.server.com -p 3269 -w "mypass" -x "(cn=test)" ldap_create ldap_url_parse_ext(ldap://my.server.com:3269) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP my.server.com:3269 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.199.46.70:3269 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x95ff590 msgid 1 wait4msg ld 0x95ff590 msgid 1 (infinite timeout) wait4msg continue ld 0x95ff590 msgid 1 all 1 ** ld 0x95ff590 Connections: * host: my.server.com port: 3269 (default) refcnt: 2 status: Connected last used: Mon Feb 27 10:59:43 2012 ** ld 0x95ff590 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x95ff590 Response Queue: Empty ldap_chkResponseList ld 0x95ff590 msgid 1 all 1 ldap_chkResponseList returns ld 0x95ff590 NULL ldap_int_select read1msg: ld 0x95ff590 msgid 1 all 1 ber_get_next ldap_perror ldap_start_tls: Can't contact LDAP server (-1) The error message doesn't give enough of a hint on what is wrong. In contrast, a simple binding and search goes well without any problem on port 389.
Any hint?
P.S. Here is my ldap.conf:
TLS_REQCERT demand TLS_CACERT ./cacert.pem I have even tried to change TLS_REQCERT to never, but it still doesn't work. :-(
836
The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.
Ensure that the LDAP settings are correct. To verify, click System > Security. Note: If a login failure is reported, and the event log does not contain an entry specifying that the connection to the LDAP server has failed, then the log in failure is more likely to be a general authentication issue.
First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry.
Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this :
HOST my.server.com PORT 3269 TLS_REQCERT ALLOW You can also create a ldaprc file in the current directory with the same content if you don't want to affect the whole system.
This will enable ldapsearch over SSL, but without verification. Follow these steps to add certificate validation to the mix.
111
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
