When trying to make ldaps connections to my Novel eDirectory 8.8 server, sometimes I have to put TLS_REQCERT never in the client servers ldap.conf file. Obviously, this is a bad idea.

The command I run is something like this with credentials that actually work…

ldapsearch -x -H ldaps://ldapserver -b 'ou=active,ou=people,dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -W "cn=username"

On Ubuntu 13.10, it works fine.

On SLES it works fine.

On CentOS 6.5 it returns:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Now, the cert I’ve imported is a wildcard cert purchased from DigiCert. My coworker found some reports indicating that some systems have issues with wildcards.

So, is the wildcard cert to blame? If so, how do I fix it?

If it is not the wildcard cert, then what is it?

Following Andrew Schulman’s suggestion, I added -d1 to my ldapsearch command. Here is what I ended up with:

ldap_url_parse_ext(ldaps://ldap.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.org:636/??base)
Enter LDAP Password: 
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.225.0.24:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir="/etc/openldap" tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

From what that says, CentOS doesn’t trust DigiCert? Or CentOS doesn’t have a list of trusted issuers?

Leave a Reply

Your email address will not be published. Required fields are marked *