Why doesn't ldapsearch over ssl/tls work?
Asked Answered
S

1

42

I am trying to use ldapsearch over a SSL/TLS connection, but it doesn't work:

ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D
"cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -h my.server.com -p 3269
-w "mypass" -x "(cn=test)"

ldap_create
ldap_url_parse_ext(ldap://my.server.com:3269)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.com:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.199.46.70:3269
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x95ff590 msgid 1
wait4msg ld 0x95ff590 msgid 1 (infinite timeout)
wait4msg continue ld 0x95ff590 msgid 1 all 1
** ld 0x95ff590 Connections:
* host: my.server.com  port: 3269  (default)
refcnt: 2  status: Connected
last used: Mon Feb 27 10:59:43 2012

** ld 0x95ff590 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x95ff590 Response Queue:
Empty
ldap_chkResponseList ld 0x95ff590 msgid 1 all 1
ldap_chkResponseList returns ld 0x95ff590 NULL
ldap_int_select
read1msg: ld 0x95ff590 msgid 1 all 1
ber_get_next
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)

The error message doesn't give enough of a hint on what is wrong. In contrast, a simple binding and search goes well without any problem on port 389.

Any hint?

P.S. Here is my ldap.conf:

TLS_REQCERT demand
TLS_CACERT ./cacert.pem

I have even tried to change TLS_REQCERT to never, but it still doesn't work. :-(

Splendiferous answered 27/2, 2012 at 16:5 Comment(2)
It doesn't look like its attempting to use TLS. You could use the -H switch instead, with an LDAP URL: ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D "cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -H ldaps://my.server.com:3269 -w "mypass" -x "(cn=test)"Colloquial
You may want to add a per-user .ldaprc file with the above and use full path for TLS_CACERT. Also see TLS_CACERTDIR and manpage of ldap.conf.Methodize
D
75

First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry.

Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this :

HOST my.server.com
PORT 3269
TLS_REQCERT ALLOW

You can also create a ldaprc file in the current directory with the same content if you don't want to affect the whole system.

This will enable ldapsearch over SSL, but without verification. Follow these steps to add certificate validation(URL updated 2023) to the mix.

Dangelo answered 27/11, 2012 at 21:50 Comment(2)
Note you can do this temporarily via an environment variable LDAPTLS_REQCERT=ALLOW (also LDAPTLD_CERT=/path/to/cert and so on but I couldn't get that to work because it asks for a keyfile that I don't have).Breathing
OP hss TLS_CACERT set - which should be all he needs although he should probably use a user-config ($HOME/.ldaprc) and a full path for TLS_CACERT.Methodize

© 2022 - 2024 — McMap. All rights reserved.