1

I installed my Ca-cert like this:

chmod 644 /usr/local/share/ca-certificates/root-ca.crt && update-ca-certificates

this is successful but somehow ldapsearch with ldaps still won't connect to the server (Can’t contact LDAP server). without ssl the same command works.

/etc/ldap/ldap.conf:

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

in this file I can find the correct certificate. also I can find it here:

/etc/ssl/certs/root-ca.pem

openssl tells me: Verification: OK when I run this command:

openssl s_client -connect my.domain.tld:7636

my ldapsearch-command:

ldapsearch -H ldaps://portal.domain.tld:7636 -b "dc=domain,dc=tld" -D "uid=mysynchuzer,CN=Users,DC=domain,DC=tld" -x -w MYPW

UPDATE: I tried openssl s_client command with -CAfile /etc/ssl/certs/ca-certificates.crt

which results in an error:

140568237548864:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:../crypto/asn1/asn1_lib.c:91:
140568237548864:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:../crypto/asn1/tasn_dec.c:1137:
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:572:
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:614:
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=subject, Type=X509_CINF
140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
140568237548864:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:../crypto/pem/pem_info.c:196:
140568237548864:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:../crypto/x509/by_file.c:205:
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
friendly joe
  • 11
  • 4
  • Please provide the ldapsearch command you are running. – Arlion Mar 02 '21 at 16:18
  • @Arlion `ldapsearch -H ldaps://portal.domain.tld:7636 -b "dc=domain,dc=tld" -D "uid=mysynchuzer,CN=Users,DC=domain,DC=tld" -x -w MYPW` – friendly joe Mar 02 '21 at 16:49
  • what happens when you do ldapsearch -H -v -Z ldap://portal.domain.tld:7636 -b "dc=domain,dc=tld" -D "uid=mysynchuzer,CN=Users,DC=domain,DC=tld" -x -w MYPW – Arlion Mar 02 '21 at 18:14
  • I added " -v -Z " this results in "Could not parse LDAP URI(s)=-v (3)" – friendly joe Mar 03 '21 at 09:17
  • Those arguments are a little out of order (referring to Arlion's comment) . . . put the -H in front of the uri i.e. `. . . -H ldaps://portal.domain.tld:7636 . . .` – Brandon Xavier Mar 03 '21 at 09:35
  • ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) – friendly joe Mar 03 '21 at 21:18
  • I tried openssl s_client command with -CAfile /etc/ssl/certs/ca-certificates.crt which results in an error: `140568237548864:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509 140568237548864:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:../crypto/pem/pem_info.c:196: 140568237548864:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:../crypto/x509/by_file.c:205:` – friendly joe Mar 04 '21 at 10:57
  • See [Some systems cannot connect to ldap via ldaps](https://serverfault.com/questions/579131/some-systems-cannot-connect-to-ldap-via-ldaps-but-others-can-is-it-the-wildcar/579148#579148), in particular the suggestion to add `-d1` to your ldapsearch command, and check the output lines that start with `TLS:` for information about why TLS is failing. – Andrew Schulman Mar 05 '21 at 14:17

0 Answers0