ldapsearch over ssl/tls doesn't work

Qiang Xu picture Qiang Xu · Feb 27, 2012 · Viewed 98.1k times · Source

I am trying to use ldapsearch over ssl/tls connection, but it doesn't work:

ldapsearch -ZZ -d 5 -b "cn=Users,dc=my,dc=server,dc=com" -s sub -D
"cn=mydevice,cn=Users,dc=my,dc=server,dc=com" -h my.server.com -p 3269
-w "mypass" -x "(cn=test)"

ldap_create
ldap_url_parse_ext(ldap://my.server.com:3269)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.com:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.199.46.70:3269
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x95ff590 msgid 1
wait4msg ld 0x95ff590 msgid 1 (infinite timeout)
wait4msg continue ld 0x95ff590 msgid 1 all 1
** ld 0x95ff590 Connections:
* host: my.server.com  port: 3269  (default)
refcnt: 2  status: Connected
last used: Mon Feb 27 10:59:43 2012

** ld 0x95ff590 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x95ff590 Response Queue:
Empty
ldap_chkResponseList ld 0x95ff590 msgid 1 all 1
ldap_chkResponseList returns ld 0x95ff590 NULL
ldap_int_select
read1msg: ld 0x95ff590 msgid 1 all 1
ber_get_next
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)

The error message doesn't give enought hint on what is wrong. In contrast, a simple binding and search goes well without any problem on port 389.

Any hint?

P.S. Here is my ldap.conf:

TLS_REQCERT demand
TLS_CACERT ./cacert.pem

I have even tried to change TLS_REQCERT to never, but it still doesn't work. :-(

Answer

ixe013 picture ixe013 · Nov 27, 2012

First, replace -h my.server.com -p 3269 with -H ldaps://my.server.com:3269 as suggested by @dearlbry.

Then, in /etc/openldap/ldap.conf (or /etc/ldap/ldap.conf on my Ubuntu 13.04), disable certificate verification by adding this :

HOST my.server.com
PORT 3269
TLS_REQCERT ALLOW

You can also create a ldaprc file in the current directory with the same content if you don't want to affect the whole system.

This will enable ldapsearch over SSL, but without verification. Follow these steps to add certificate validation to the mix.