Some systems cannot connect to ldap via ldaps, but others can, is it the wildcard cert?
When trying to make ldaps connections to my Novel eDirectory 8.8 server, sometimes I have to put TLS_REQCERT never
in the client servers ldap.conf file. Obviously, this is a bad idea.
The command I run is something like this with credentials that actually work...
ldapsearch -x -H ldaps://ldapserver -b 'ou=active,ou=people,dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -W "cn=username"
On Ubuntu 13.10, it works fine.
On SLES it works fine.
On CentOS 6.5 it returns:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Now, the cert I've imported is a wildcard cert purchased from DigiCert. My coworker found some reports indicating that some systems have issues with wildcards.
So, is the wildcard cert to blame? If so, how do I fix it?
If it is not the wildcard cert, then what is it?
Following Andrew Schulman's suggestion, I added -d1
to my ldapsearch command. Here is what I ended up with:
ldap_url_parse_ext(ldaps://ldap.example.org)
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.org:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.225.0.24:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From what that says, CentOS doesn't trust DigiCert? Or CentOS doesn't have a list of trusted issuers?
Solution 1:
ldapsearch is looking in /etc/openldap/cacerts for its store of trusted CA certificates, and that apparently is not set up, and thus it is rejecting the certificate since it can't construct a trust chain for it. If ldapsearch were using OpenSSL, it would need a "hashdir" format collection as produced by e.g. the Red Hat "authconfig" program, or a single file with a flat list of trusted certificates. The reference here to "moznss" suggests that this ldapsearch is built against Mozilla NSS, in which case you need to use "certutil" to make the cert db (or better, point it at the system NSS certificate store, if there is one).
On the systems where it's working ldapsearch must have a working certificate store, perhaps because those OpenLDAP packages are built against OpenSSL instead (or maybe there's a working NSS-style store available there).
Solution 2:
ldapsearch will say "Can't contact LDAP server" if it can't verify the TLS certificate. Add -d1
to your ldapsearch command, and check the output lines that begin with "TLS:" to get more information about whether the TLS connection is failing and why.
Solution 3:
Solution depends on your installation:
-
If you are using a non valid cert, you can force accept it configuring
/etc/openldap/ldap.conf
withTLS_REQCERT allow
or
TLS_REQCERT never
-
If you are using a valid cert probably your ldap instalation don't know where store of trusted CA certificates is (probably depending on your OpenSSL installation). Then you can try to set it location and force check configuring
/etc/openldap/ldap.conf
withTLS_CACERT /etc/openldap/cacert TLS_REQCERT demand
/etc/openldap/cacert
can be this or be located in any path. It must contain certificate chain of your CA. It can be a single file with a flat list of trusted certificates.
Note paths depends on ldap provider. It could be /etc/ldap
or /etc/openldap
or so.