Not able to connect to openldap server in ldaps mode - CentOS
0
I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
ldap_result: Can't contact LDAP server (-1)
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
dn: ou=users,dc=india,dc=airwave,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
cn: Sandeep Lade
sn: Lade
objectClass: inetOrgPerson
userPassword:: d2hvcGVl
uid: vlade
dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
cn: Engineering
objectClass: groupOfNames
member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
Both 389 and 636 are listening
[root@testldap certs]# netstat -an | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN
unix 2 [ ] DGRAM 19389
[root@testldap certs]# netstat -an | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 :::636 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 13636
[root@testldap certs]#
Able to connect to 636 port using openssl connect
[root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1516769274
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@localhost sandeeplade]#
ldap.conf file
[root@testldap certs]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
PORT 636
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem
[root@testldap certs]#
slapd.conf file
[root@testldap certs]# cat /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
TLSVerifyClient never
[root@testldap certs]#
certificates are available in /etc/openldap/certs and they are generated using openssl
[root@testldap certs]# cd /etc/openldap/certs/
[root@testldap certs]# ls -lrt
total 96
-r--------. 1 root root 45 Jan 23 21:59 password
-rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
-rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
-rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
-rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
-rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
-rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
-rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
-rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
[root@testldap certs]#
ldaps enabled in /etc/sysconfig/ldap
[root@testldap certs]# cat /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3
# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@testldap certs]#
I am struggling to get the openldap worked from past two days. Any help is highly appreciated
centos openssl openldap
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
0
I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
ldap_result: Can't contact LDAP server (-1)
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
dn: ou=users,dc=india,dc=airwave,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
cn: Sandeep Lade
sn: Lade
objectClass: inetOrgPerson
userPassword:: d2hvcGVl
uid: vlade
dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
cn: Engineering
objectClass: groupOfNames
member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
Both 389 and 636 are listening
[root@testldap certs]# netstat -an | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN
unix 2 [ ] DGRAM 19389
[root@testldap certs]# netstat -an | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 :::636 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 13636
[root@testldap certs]#
Able to connect to 636 port using openssl connect
[root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1516769274
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@localhost sandeeplade]#
ldap.conf file
[root@testldap certs]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
PORT 636
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem
[root@testldap certs]#
slapd.conf file
[root@testldap certs]# cat /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
TLSVerifyClient never
[root@testldap certs]#
certificates are available in /etc/openldap/certs and they are generated using openssl
[root@testldap certs]# cd /etc/openldap/certs/
[root@testldap certs]# ls -lrt
total 96
-r--------. 1 root root 45 Jan 23 21:59 password
-rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
-rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
-rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
-rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
-rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
-rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
-rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
-rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
[root@testldap certs]#
ldaps enabled in /etc/sysconfig/ldap
[root@testldap certs]# cat /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3
# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@testldap certs]#
I am struggling to get the openldap worked from past two days. Any help is highly appreciated
centos openssl openldap
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
0
0
0
1
I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
ldap_result: Can't contact LDAP server (-1)
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
dn: ou=users,dc=india,dc=airwave,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
cn: Sandeep Lade
sn: Lade
objectClass: inetOrgPerson
userPassword:: d2hvcGVl
uid: vlade
dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
cn: Engineering
objectClass: groupOfNames
member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
Both 389 and 636 are listening
[root@testldap certs]# netstat -an | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN
unix 2 [ ] DGRAM 19389
[root@testldap certs]# netstat -an | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 :::636 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 13636
[root@testldap certs]#
Able to connect to 636 port using openssl connect
[root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1516769274
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@localhost sandeeplade]#
ldap.conf file
[root@testldap certs]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
PORT 636
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem
[root@testldap certs]#
slapd.conf file
[root@testldap certs]# cat /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
TLSVerifyClient never
[root@testldap certs]#
certificates are available in /etc/openldap/certs and they are generated using openssl
[root@testldap certs]# cd /etc/openldap/certs/
[root@testldap certs]# ls -lrt
total 96
-r--------. 1 root root 45 Jan 23 21:59 password
-rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
-rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
-rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
-rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
-rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
-rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
-rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
-rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
[root@testldap certs]#
ldaps enabled in /etc/sysconfig/ldap
[root@testldap certs]# cat /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3
# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@testldap certs]#
I am struggling to get the openldap worked from past two days. Any help is highly appreciated
centos openssl openldap
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
ldap_result: Can't contact LDAP server (-1)
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
dn: ou=users,dc=india,dc=airwave,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
cn: Sandeep Lade
sn: Lade
objectClass: inetOrgPerson
userPassword:: d2hvcGVl
uid: vlade
dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
cn: Engineering
objectClass: groupOfNames
member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
Both 389 and 636 are listening
[root@testldap certs]# netstat -an | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN
unix 2 [ ] DGRAM 19389
[root@testldap certs]# netstat -an | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 :::636 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 13636
[root@testldap certs]#
Able to connect to 636 port using openssl connect
[root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1516769274
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@localhost sandeeplade]#
ldap.conf file
[root@testldap certs]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
PORT 636
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem
[root@testldap certs]#
slapd.conf file
[root@testldap certs]# cat /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
TLSVerifyClient never
[root@testldap certs]#
certificates are available in /etc/openldap/certs and they are generated using openssl
[root@testldap certs]# cd /etc/openldap/certs/
[root@testldap certs]# ls -lrt
total 96
-r--------. 1 root root 45 Jan 23 21:59 password
-rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
-rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
-rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
-rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
-rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
-rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
-rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
-rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
[root@testldap certs]#
ldaps enabled in /etc/sysconfig/ldap
[root@testldap certs]# cat /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""
# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3
# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@testldap certs]#
I am struggling to get the openldap worked from past two days. Any help is highly appreciated
centos openssl openldap
centos openssl openldap
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
asked Jan 25 '18 at 3:44
Sandeep LadeSandeep Lade
1166
1166
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
0
Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work
You need to use the "-H" iso -h and -p.
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
Thanks for your answer .But then even with -H, same error[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#
– Sandeep Lade
Jan 25 '18 at 10:24
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
With FQDN also it works[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---
– Sandeep Lade
Jan 25 '18 at 10:54
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
But its givingVerify return code: 0 (ok)so i believe TLS connection between client and server is OK
– Sandeep Lade
Jan 25 '18 at 11:07
|
show 2 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419516%2fnot-able-to-connect-to-openldap-server-in-ldaps-mode-centos%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work
You need to use the "-H" iso -h and -p.
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
Thanks for your answer .But then even with -H, same error[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#
– Sandeep Lade
Jan 25 '18 at 10:24
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
With FQDN also it works[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---
– Sandeep Lade
Jan 25 '18 at 10:54
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
But its givingVerify return code: 0 (ok)so i believe TLS connection between client and server is OK
– Sandeep Lade
Jan 25 '18 at 11:07
|
show 2 more comments
0
Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work
You need to use the "-H" iso -h and -p.
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
Thanks for your answer .But then even with -H, same error[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#
– Sandeep Lade
Jan 25 '18 at 10:24
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
With FQDN also it works[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---
– Sandeep Lade
Jan 25 '18 at 10:54
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
But its givingVerify return code: 0 (ok)so i believe TLS connection between client and server is OK
– Sandeep Lade
Jan 25 '18 at 11:07
|
show 2 more comments
0
0
0
Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work
You need to use the "-H" iso -h and -p.
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work
You need to use the "-H" iso -h and -p.
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
answered Jan 25 '18 at 10:04
Gerard H. PilleGerard H. Pille
1,334212
1,334212
Thanks for your answer .But then even with -H, same error[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#
– Sandeep Lade
Jan 25 '18 at 10:24
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
With FQDN also it works[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---
– Sandeep Lade
Jan 25 '18 at 10:54
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
But its givingVerify return code: 0 (ok)so i believe TLS connection between client and server is OK
– Sandeep Lade
Jan 25 '18 at 11:07
|
show 2 more comments
Thanks for your answer .But then even with -H, same error[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#
– Sandeep Lade
Jan 25 '18 at 10:24
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
With FQDN also it works[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---
– Sandeep Lade
Jan 25 '18 at 10:54
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
But its givingVerify return code: 0 (ok)so i believe TLS connection between client and server is OK
– Sandeep Lade
Jan 25 '18 at 11:07
Thanks for your answer .But then even with -H, same error
[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#– Sandeep Lade
Jan 25 '18 at 10:24
Thanks for your answer .But then even with -H, same error
[root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#– Sandeep Lade
Jan 25 '18 at 10:24
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.
– Gerard H. Pille
Jan 25 '18 at 10:37
With FQDN also it works
[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- – Sandeep Lade
Jan 25 '18 at 10:54
With FQDN also it works
[root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- – Sandeep Lade
Jan 25 '18 at 10:54
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
It does say "error". Do you consider this "to work"?
– Gerard H. Pille
Jan 25 '18 at 11:03
But its giving
Verify return code: 0 (ok) so i believe TLS connection between client and server is OK– Sandeep Lade
Jan 25 '18 at 11:07
But its giving
Verify return code: 0 (ok) so i believe TLS connection between client and server is OK– Sandeep Lade
Jan 25 '18 at 11:07
|
show 2 more comments
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419516%2fnot-able-to-connect-to-openldap-server-in-ldaps-mode-centos%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
