When trying to make ldaps connections to my Novel eDirectory 8.8 server, sometimes I have to put
TLS_REQCERT never in the client servers ldap.conf file. Obviously, this is a bad idea.
The command I run is something like this with credentials that actually work…
ldapsearch -x -H ldaps://ldapserver -b 'ou=active,ou=people,dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -W "cn=username"
On Ubuntu 13.10, it works fine.
On SLES it works fine.
On CentOS 6.5 it returns:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Now, the cert I’ve imported is a wildcard cert purchased from DigiCert. My coworker found some reports indicating that some systems have issues with wildcards.
So, is the wildcard cert to blame? If so, how do I fix it?
If it is not the wildcard cert, then what is it?
Following Andrew Schulman’s suggestion, I added
-d1 to my ldapsearch command. Here is what I ended up with:
ldap_url_parse_ext(ldaps://ldap.example.org) ldap_create ldap_url_parse_ext(ldaps://ldap.example.org:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.example.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.225.0.24:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir="/etc/openldap" tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error. TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found. TLS: certificate [CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 2 - moznss error -8172 TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From what that says, CentOS doesn’t trust DigiCert? Or CentOS doesn’t have a list of trusted issuers?