Skip to main content

openldap ssl error

After install openldap on redhat, I can startup the process and access using ldapsearch but cannot access via ssl, I hit errors like below

# ldapsearch -d 1 -x -D "cn=Manager,dc=example,dc=com" -w secret -H ldaps://192.168.16.88 cn
ldap_create
ldap_url_parse_ext(ldaps://192.168.16.88)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.16.88:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.16.88:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)

did a test using openssl to verify if ssl works:

 # openssl s_client -connect 192.168.16.88:636
CONNECTED(00000003)
10484:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
 # openssl s_client -connect 192.168.16.88:636 -CAfile slapd.pem  -key slapd.pem
CONNECTED(00000003)
10034:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

after trouble shooting for awhile, it turns out to be configruation syntax error, there should be no space before each option like below


TLSCACertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

but I was configured as


  TLSCACertificateFile /etc/pki/tls/certs/slapd.pem
  TLSCertificateFile /etc/pki/tls/certs/slapd.pem
  TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

hope this can help people who hit the same problem

Comments

Post a Comment

Popular posts from this blog

How to send command / input to multiple Putty window simultaneously

Putty is one of the best and must-have freeware for people working on Linux/Unix but use Windows as client like me.  We need to manage many servers and sometimes we are hoping we can run/execute same command on multiple host at same time, or just input same thing to multiple host. I searched online for a tool can do this. And it looks like PuTTYCS (PuTTY Command Sender) is the only one existing. But I’m a little bit disappointing after tried the software, it’s good but not good enough. It can only send command to each window one by one, and you have to wait until last window got input. So I think I should do something, and puttyCluster was born ( https://github.com/mingbowan/puttyCluster ) interface is simple: When you input Windows title pattern in the text box, you will be prompt for how many windows matching the pattern, like this: and you click the edit box under “cluster input”, what ever key you pressed will pass to all those windows simultaneously, even “Ctrl-C”, “Esc” ...
2 comments
Read more

enable special character support in Graphite metric name

Problem Graphite doesn’t support special characters like “ “ (empty space), “/” slash etc. Because it expect everything to be just ASCII to split/processing them, and then make directories based on metric name. For example:   Metric:     datacenter1.server1.app1.metric1.abc Will create datacenter1/server1/app1/metric1/abc.wsp But Metric: datacentter1.this is a test/with/path.app.test will fail when create directory So any special name not allow to appear in directory/file name is not supported by Graphite.   What we can do?   We can urlEncode the metric name which has special characters. So like “/var/opt” (not valid file name) will become “%2Fvar%2Fopt”(now valid), using urlEncode instead of others (like BASE64) is because this will keep most of data readable.   So what to change? 1. urlEncode metric name before send to Graphite (if you always sending metrics using text/line mode instead of pickle/batch mode, then you may consider modify ...
2 comments
Read more