TLS trace: SSL_connect:error in SSLv2/v3 read server hello A

Question

I am trying to query AD for users and tried every options available but no success

Operating System = CentoS7.5 Packages = Openldap, ldapsearch Microsoft Active Directory

my command

ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=abc,dc=local" -H "ldaps://xxxx:3268" "uid=abc" -d 1

Following is debug trace

ldap_url_parse_ext(ldaps://xxxx:3268)
ldap_create
ldap_url_parse_ext(ldaps://xxxx:3268/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxxx:3268
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3268
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_convert: WARN: extracted cert file is not present.
tlsmc_convert: WARN: extracted key file is not present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--8586FAF3B8E91EA51970C3CB5BDAEEAA9CEBC923901B87924ECD0CBBCD8F9C66/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I tried by changing values in /etc/openldap/ldap.conf

First added

TLS_REQCERT never

then

TLS_REQCERT allow

then set below as mentioned here but no success

ldap ssl v2 v3 can't read server hallo A

TLS_PROTOCOL_MIN 3.3

Rebooted my server too but no success.

if i run with debug level d 2, last lines are like

tls_read: want=7 error=Connection reset by peer
TLS: can't connect: .
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

my only intentions is to run ldapsearch

EDIT:

as suggested @fission i changed port and Now i am getting below

>> cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=abc,dc=local
URI     ldaps://xxx:3269

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs
#HOST you-adc1
#PORT 3268
TLS_REQCERT never

#TLS_PROTOCOL_MIN 3.3

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

Trace:

[root@x ~]# ldapsearch -x -LLL -D "uid=abc,ou=Distribution Lists,dc=xyz,dc=local" -H "ldaps://xxx:3269" "uid=abc" -d 1
ldap_url_parse_ext(ldaps://xxx:3269)
ldap_create
ldap_url_parse_ext(ldaps://xxx:3269/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying x.x.x.x:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `(null)'.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `(null)'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: , issuer: /DC=local/DC=xxx/CN=xxx-root-CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 76 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid 1
wait4msg ld 0x559d9b078a70 msgid 1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid 1 all 1
** ld 0x559d9b078a70 Connections:
* host: xxx  port: 3269  (default)
  refcnt: 2  status: Connected
  last used: Sat Oct 20 16:46:31 2018


** ld 0x559d9b078a70 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
   Empty
  ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid 1 all 1
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x559d9b078a70 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg:  mark request completed, ld 0x559d9b078a70 msgid 1
request done: ld 0x559d9b078a70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "uid=abc"
put_filter: default
put_simple_filter: "uid=abc"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 70 bytes to sd 3
ldap_result ld 0x559d9b078a70 msgid -1
wait4msg ld 0x559d9b078a70 msgid -1 (infinite timeout)
wait4msg continue ld 0x559d9b078a70 msgid -1 all 0
** ld 0x559d9b078a70 Connections:
* host: xxx  port: 3269  (default)
  refcnt: 2  status: Connected
  last used: Sat Oct 20 16:46:31 2018


** ld 0x559d9b078a70 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x559d9b078a70 request count 1 (abandoned 0)
** ld 0x559d9b078a70 Response Queue:
   Empty
  ld 0x559d9b078a70 response count 0
ldap_chkResponseList ld 0x559d9b078a70 msgid -1 all 0
ldap_chkResponseList returns ld 0x559d9b078a70 NULL
ldap_int_select
read1msg: ld 0x559d9b078a70 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 168 contents:
read1msg: ld 0x559d9b078a70 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x559d9b078a70 0 new referrals
read1msg:  mark request completed, ld 0x559d9b078a70 msgid 2
request done: ld 0x559d9b078a70 msgid 2
res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
Operations error (1)
Additional information: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

Answer 1

By changing the port to 3269, it seems you are now connecting to the LDAPS server, which is good. However, the authentication piece isn't completing. You can tell that from this error

res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <>

You need to specify either -w passwd or -W (which will prompt for a password).

The other thing I found necessary was to specify a search base (-b option).

A complete command which worked here:

ldapsearch -x -LLL -d 1 \
  -D cn=user1,cn=users,dc=fj,dc=test -W \
  -H ldaps://winders.fj.test:3269 \
  -b dc=fj,dc=test \
  cn=user1