Not able to connect to openldap server in ldaps mode - CentOS












0















I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port



[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D  cn=Manager,dc=india,dc=airwave,dc=com -w  whopee   -b "ou=Users,dc=india,dc=airwave,dc=com"
ldap_result: Can't contact LDAP server (-1)
[root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
dn: ou=users,dc=india,dc=airwave,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
cn: Sandeep Lade
sn: Lade
objectClass: inetOrgPerson
userPassword:: d2hvcGVl
uid: vlade

dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
cn: Engineering
objectClass: groupOfNames
member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com


Both 389 and 636 are listening



[root@testldap certs]# netstat -an | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN
unix 2 [ ] DGRAM 19389
[root@testldap certs]# netstat -an | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 :::636 :::* LISTEN
unix 3 [ ] STREAM CONNECTED 13636
[root@testldap certs]#


Able to connect to 636 port using openssl connect



[root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1516769274
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@localhost sandeeplade]#


ldap.conf file



[root@testldap certs]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never


PORT 636
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow

ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem

[root@testldap certs]#

slapd.conf file

[root@testldap certs]# cat /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key

# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
TLSVerifyClient never

[root@testldap certs]#


certificates are available in /etc/openldap/certs and they are generated using openssl



[root@testldap certs]# cd /etc/openldap/certs/
[root@testldap certs]# ls -lrt
total 96
-r--------. 1 root root 45 Jan 23 21:59 password
-rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
-rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
-rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
-rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
-rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
-rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
-rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
-rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
[root@testldap certs]#


ldaps enabled in /etc/sysconfig/ldap



[root@testldap certs]# cat /etc/sysconfig/ldap
# Options of slapd (see man slapd)
#SLAPD_OPTIONS=

# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes

# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes

# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""

# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3

# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""
[root@testldap certs]#


I am struggling to get the openldap worked from past two days. Any help is highly appreciated










share|improve this question














bumped to the homepage by Community 11 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port



    [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D  cn=Manager,dc=india,dc=airwave,dc=com -w  whopee   -b "ou=Users,dc=india,dc=airwave,dc=com"
    ldap_result: Can't contact LDAP server (-1)
    [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
    dn: ou=users,dc=india,dc=airwave,dc=com
    objectClass: organizationalUnit
    ou: users

    dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
    cn: Sandeep Lade
    sn: Lade
    objectClass: inetOrgPerson
    userPassword:: d2hvcGVl
    uid: vlade

    dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
    cn: Engineering
    objectClass: groupOfNames
    member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com


    Both 389 and 636 are listening



    [root@testldap certs]# netstat -an | grep 389
    tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
    tcp 0 0 :::389 :::* LISTEN
    unix 2 [ ] DGRAM 19389
    [root@testldap certs]# netstat -an | grep 636
    tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
    tcp 0 0 :::636 :::* LISTEN
    unix 3 [ ] STREAM CONNECTED 13636
    [root@testldap certs]#


    Able to connect to 636 port using openssl connect



    [root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
    CONNECTED(00000003)
    write:errno=104
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 307 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1516769274
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    [root@localhost sandeeplade]#


    ldap.conf file



    [root@testldap certs]# cat /etc/openldap/ldap.conf
    #
    # LDAP Defaults
    #

    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.

    #BASE dc=example,dc=com
    #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

    #SIZELIMIT 12
    #TIMELIMIT 15
    #DEREF never


    PORT 636
    #TLS_CACERTDIR /etc/openldap/certs
    TLS_CACERTDIR /etc/openldap/certs
    TLS_REQCERT allow

    ssl start_tls
    tls_checkpeer yes
    tls_cacertfile /etc/openldap/certs/cacert.pem

    [root@testldap certs]#

    slapd.conf file

    [root@testldap certs]# cat /etc/openldap/slapd.conf
    TLSCACertificateFile /etc/openldap/certs/cacert.pem
    TLSCertificateFile /etc/openldap/certs/server.crt
    TLSCertificateKeyFile /etc/openldap/certs/server.key

    # Use the following if client authentication is required
    #TLSVerifyClient demand
    # ... or not desired at all
    TLSVerifyClient never

    [root@testldap certs]#


    certificates are available in /etc/openldap/certs and they are generated using openssl



    [root@testldap certs]# cd /etc/openldap/certs/
    [root@testldap certs]# ls -lrt
    total 96
    -r--------. 1 root root 45 Jan 23 21:59 password
    -rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
    -rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
    -rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
    -rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
    -rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
    -rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
    -rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
    -rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
    [root@testldap certs]#


    ldaps enabled in /etc/sysconfig/ldap



    [root@testldap certs]# cat /etc/sysconfig/ldap
    # Options of slapd (see man slapd)
    #SLAPD_OPTIONS=

    # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
    #
    # Run slapd with -h "... ldap:/// ..."
    # yes/no, default: yes
    SLAPD_LDAP=yes

    # Run slapd with -h "... ldapi:/// ..."
    # yes/no, default: yes
    SLAPD_LDAPI=yes

    # Run slapd with -h "... ldaps:/// ..."
    # yes/no, default: no
    SLAPD_LDAPS=yes

    # Run slapd with -h "... $SLAPD_URLS ..."
    # This option could be used instead of previous three ones, but:
    # - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
    # - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
    # example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
    # default: empty
    #SLAPD_URLS=""

    # Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
    #SLAPD_SHUTDOWN_TIMEOUT=3

    # Parameters to ulimit, use to change system limits for slapd
    #SLAPD_ULIMIT_SETTINGS=""
    [root@testldap certs]#


    I am struggling to get the openldap worked from past two days. Any help is highly appreciated










    share|improve this question














    bumped to the homepage by Community 11 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0


      1






      I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port



      [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D  cn=Manager,dc=india,dc=airwave,dc=com -w  whopee   -b "ou=Users,dc=india,dc=airwave,dc=com"
      ldap_result: Can't contact LDAP server (-1)
      [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
      dn: ou=users,dc=india,dc=airwave,dc=com
      objectClass: organizationalUnit
      ou: users

      dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
      cn: Sandeep Lade
      sn: Lade
      objectClass: inetOrgPerson
      userPassword:: d2hvcGVl
      uid: vlade

      dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
      cn: Engineering
      objectClass: groupOfNames
      member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com


      Both 389 and 636 are listening



      [root@testldap certs]# netstat -an | grep 389
      tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
      tcp 0 0 :::389 :::* LISTEN
      unix 2 [ ] DGRAM 19389
      [root@testldap certs]# netstat -an | grep 636
      tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
      tcp 0 0 :::636 :::* LISTEN
      unix 3 [ ] STREAM CONNECTED 13636
      [root@testldap certs]#


      Able to connect to 636 port using openssl connect



      [root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
      CONNECTED(00000003)
      write:errno=104
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 0 bytes and written 307 bytes
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.2
      Cipher : 0000
      Session-ID:
      Session-ID-ctx:
      Master-Key:
      Key-Arg : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1516769274
      Timeout : 300 (sec)
      Verify return code: 0 (ok)
      ---
      [root@localhost sandeeplade]#


      ldap.conf file



      [root@testldap certs]# cat /etc/openldap/ldap.conf
      #
      # LDAP Defaults
      #

      # See ldap.conf(5) for details
      # This file should be world readable but not world writable.

      #BASE dc=example,dc=com
      #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

      #SIZELIMIT 12
      #TIMELIMIT 15
      #DEREF never


      PORT 636
      #TLS_CACERTDIR /etc/openldap/certs
      TLS_CACERTDIR /etc/openldap/certs
      TLS_REQCERT allow

      ssl start_tls
      tls_checkpeer yes
      tls_cacertfile /etc/openldap/certs/cacert.pem

      [root@testldap certs]#

      slapd.conf file

      [root@testldap certs]# cat /etc/openldap/slapd.conf
      TLSCACertificateFile /etc/openldap/certs/cacert.pem
      TLSCertificateFile /etc/openldap/certs/server.crt
      TLSCertificateKeyFile /etc/openldap/certs/server.key

      # Use the following if client authentication is required
      #TLSVerifyClient demand
      # ... or not desired at all
      TLSVerifyClient never

      [root@testldap certs]#


      certificates are available in /etc/openldap/certs and they are generated using openssl



      [root@testldap certs]# cd /etc/openldap/certs/
      [root@testldap certs]# ls -lrt
      total 96
      -r--------. 1 root root 45 Jan 23 21:59 password
      -rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
      -rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
      -rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
      -rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
      -rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
      -rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
      -rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
      -rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
      [root@testldap certs]#


      ldaps enabled in /etc/sysconfig/ldap



      [root@testldap certs]# cat /etc/sysconfig/ldap
      # Options of slapd (see man slapd)
      #SLAPD_OPTIONS=

      # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
      #
      # Run slapd with -h "... ldap:/// ..."
      # yes/no, default: yes
      SLAPD_LDAP=yes

      # Run slapd with -h "... ldapi:/// ..."
      # yes/no, default: yes
      SLAPD_LDAPI=yes

      # Run slapd with -h "... ldaps:/// ..."
      # yes/no, default: no
      SLAPD_LDAPS=yes

      # Run slapd with -h "... $SLAPD_URLS ..."
      # This option could be used instead of previous three ones, but:
      # - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
      # - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
      # example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
      # default: empty
      #SLAPD_URLS=""

      # Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
      #SLAPD_SHUTDOWN_TIMEOUT=3

      # Parameters to ulimit, use to change system limits for slapd
      #SLAPD_ULIMIT_SETTINGS=""
      [root@testldap certs]#


      I am struggling to get the openldap worked from past two days. Any help is highly appreciated










      share|improve this question














      I have configured my openldap server in ldaps mode. But after configuring I am not able to connect it on 636 port where as I am able to connect on 389 port



      [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 636 -D  cn=Manager,dc=india,dc=airwave,dc=com -w  whopee   -b "ou=Users,dc=india,dc=airwave,dc=com"
      ldap_result: Can't contact LDAP server (-1)
      [root@testldap certs]# ldapsearch -x -LLL -h testldap.india.airwave.com -p 389 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com"
      dn: ou=users,dc=india,dc=airwave,dc=com
      objectClass: organizationalUnit
      ou: users

      dn: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com
      cn: Sandeep Lade
      sn: Lade
      objectClass: inetOrgPerson
      userPassword:: d2hvcGVl
      uid: vlade

      dn: cn=Engineering,ou=users,dc=india,dc=airwave,dc=com
      cn: Engineering
      objectClass: groupOfNames
      member: cn=Sandeep Lade,ou=users,dc=india,dc=airwave,dc=com


      Both 389 and 636 are listening



      [root@testldap certs]# netstat -an | grep 389
      tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
      tcp 0 0 :::389 :::* LISTEN
      unix 2 [ ] DGRAM 19389
      [root@testldap certs]# netstat -an | grep 636
      tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
      tcp 0 0 :::636 :::* LISTEN
      unix 3 [ ] STREAM CONNECTED 13636
      [root@testldap certs]#


      Able to connect to 636 port using openssl connect



      [root@localhost sandeeplade]# openssl s_client -connect 10.22.156.157:636 -showcerts -CAfile cacert.pem
      CONNECTED(00000003)
      write:errno=104
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 0 bytes and written 307 bytes
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.2
      Cipher : 0000
      Session-ID:
      Session-ID-ctx:
      Master-Key:
      Key-Arg : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1516769274
      Timeout : 300 (sec)
      Verify return code: 0 (ok)
      ---
      [root@localhost sandeeplade]#


      ldap.conf file



      [root@testldap certs]# cat /etc/openldap/ldap.conf
      #
      # LDAP Defaults
      #

      # See ldap.conf(5) for details
      # This file should be world readable but not world writable.

      #BASE dc=example,dc=com
      #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

      #SIZELIMIT 12
      #TIMELIMIT 15
      #DEREF never


      PORT 636
      #TLS_CACERTDIR /etc/openldap/certs
      TLS_CACERTDIR /etc/openldap/certs
      TLS_REQCERT allow

      ssl start_tls
      tls_checkpeer yes
      tls_cacertfile /etc/openldap/certs/cacert.pem

      [root@testldap certs]#

      slapd.conf file

      [root@testldap certs]# cat /etc/openldap/slapd.conf
      TLSCACertificateFile /etc/openldap/certs/cacert.pem
      TLSCertificateFile /etc/openldap/certs/server.crt
      TLSCertificateKeyFile /etc/openldap/certs/server.key

      # Use the following if client authentication is required
      #TLSVerifyClient demand
      # ... or not desired at all
      TLSVerifyClient never

      [root@testldap certs]#


      certificates are available in /etc/openldap/certs and they are generated using openssl



      [root@testldap certs]# cd /etc/openldap/certs/
      [root@testldap certs]# ls -lrt
      total 96
      -r--------. 1 root root 45 Jan 23 21:59 password
      -rw-r--r--. 1 root root 16384 Jan 23 21:59 secmod.db
      -rw-r--r--. 1 root root 65536 Jan 23 21:59 cert8.db
      -rw-r--r--. 1 root root 16384 Jan 23 21:59 key3.db
      -rw-------. 1 ldap ldap 1743 Jan 23 23:57 server.key.pass
      -rw-r--r--. 1 root root 1094 Jan 23 23:59 server.csr
      -rw-r--r--. 1 root root 4718 Jan 24 00:02 server.crt
      -rw-r--r--. 1 root root 1675 Jan 24 00:38 server.key
      -rw-r--r--. 1 root root 4537 Jan 24 05:18 cacert.pem
      [root@testldap certs]#


      ldaps enabled in /etc/sysconfig/ldap



      [root@testldap certs]# cat /etc/sysconfig/ldap
      # Options of slapd (see man slapd)
      #SLAPD_OPTIONS=

      # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
      #
      # Run slapd with -h "... ldap:/// ..."
      # yes/no, default: yes
      SLAPD_LDAP=yes

      # Run slapd with -h "... ldapi:/// ..."
      # yes/no, default: yes
      SLAPD_LDAPI=yes

      # Run slapd with -h "... ldaps:/// ..."
      # yes/no, default: no
      SLAPD_LDAPS=yes

      # Run slapd with -h "... $SLAPD_URLS ..."
      # This option could be used instead of previous three ones, but:
      # - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
      # - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
      # example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
      # default: empty
      #SLAPD_URLS=""

      # Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
      #SLAPD_SHUTDOWN_TIMEOUT=3

      # Parameters to ulimit, use to change system limits for slapd
      #SLAPD_ULIMIT_SETTINGS=""
      [root@testldap certs]#


      I am struggling to get the openldap worked from past two days. Any help is highly appreciated







      centos openssl openldap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 25 '18 at 3:44









      Sandeep LadeSandeep Lade

      1166




      1166





      bumped to the homepage by Community 11 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 11 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work



          You need to use the "-H" iso -h and -p.






          share|improve this answer
























          • Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

            – Sandeep Lade
            Jan 25 '18 at 10:24













          • in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

            – Gerard H. Pille
            Jan 25 '18 at 10:37











          • With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

            – Sandeep Lade
            Jan 25 '18 at 10:54











          • It does say "error". Do you consider this "to work"?

            – Gerard H. Pille
            Jan 25 '18 at 11:03











          • But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

            – Sandeep Lade
            Jan 25 '18 at 11:07











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419516%2fnot-able-to-connect-to-openldap-server-in-ldaps-mode-centos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work



          You need to use the "-H" iso -h and -p.






          share|improve this answer
























          • Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

            – Sandeep Lade
            Jan 25 '18 at 10:24













          • in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

            – Gerard H. Pille
            Jan 25 '18 at 10:37











          • With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

            – Sandeep Lade
            Jan 25 '18 at 10:54











          • It does say "error". Do you consider this "to work"?

            – Gerard H. Pille
            Jan 25 '18 at 11:03











          • But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

            – Sandeep Lade
            Jan 25 '18 at 11:07
















          0














          Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work



          You need to use the "-H" iso -h and -p.






          share|improve this answer
























          • Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

            – Sandeep Lade
            Jan 25 '18 at 10:24













          • in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

            – Gerard H. Pille
            Jan 25 '18 at 10:37











          • With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

            – Sandeep Lade
            Jan 25 '18 at 10:54











          • It does say "error". Do you consider this "to work"?

            – Gerard H. Pille
            Jan 25 '18 at 11:03











          • But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

            – Sandeep Lade
            Jan 25 '18 at 11:07














          0












          0








          0







          Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work



          You need to use the "-H" iso -h and -p.






          share|improve this answer













          Your ldpasearch parameters are wrong for an SSL query. See here: https://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work



          You need to use the "-H" iso -h and -p.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 25 '18 at 10:04









          Gerard H. PilleGerard H. Pille

          1,334212




          1,334212













          • Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

            – Sandeep Lade
            Jan 25 '18 at 10:24













          • in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

            – Gerard H. Pille
            Jan 25 '18 at 10:37











          • With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

            – Sandeep Lade
            Jan 25 '18 at 10:54











          • It does say "error". Do you consider this "to work"?

            – Gerard H. Pille
            Jan 25 '18 at 11:03











          • But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

            – Sandeep Lade
            Jan 25 '18 at 11:07



















          • Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

            – Sandeep Lade
            Jan 25 '18 at 10:24













          • in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

            – Gerard H. Pille
            Jan 25 '18 at 10:37











          • With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

            – Sandeep Lade
            Jan 25 '18 at 10:54











          • It does say "error". Do you consider this "to work"?

            – Gerard H. Pille
            Jan 25 '18 at 11:03











          • But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

            – Sandeep Lade
            Jan 25 '18 at 11:07

















          Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

          – Sandeep Lade
          Jan 25 '18 at 10:24







          Thanks for your answer .But then even with -H, same error [root@testldap ~]# ldapsearch -x -LLL -H ldaps://testldap.india.airwave.com:636 -D cn=Manager,dc=india,dc=airwave,dc=com -w whopee -b "ou=Users,dc=india,dc=airwave,dc=com" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@testldap ~]#

          – Sandeep Lade
          Jan 25 '18 at 10:24















          in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

          – Gerard H. Pille
          Jan 25 '18 at 10:37





          in your test with openssl, you connected to an IP address, not to testldap.india.airwave.com.

          – Gerard H. Pille
          Jan 25 '18 at 10:37













          With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

          – Sandeep Lade
          Jan 25 '18 at 10:54





          With FQDN also it works [root@localhost sandeeplade]# openssl s_client -connect testldap.india.airwave.com:636 -showcerts -CAfile cacert.pem CONNECTED(00000003) 139989563025344:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent ---

          – Sandeep Lade
          Jan 25 '18 at 10:54













          It does say "error". Do you consider this "to work"?

          – Gerard H. Pille
          Jan 25 '18 at 11:03





          It does say "error". Do you consider this "to work"?

          – Gerard H. Pille
          Jan 25 '18 at 11:03













          But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

          – Sandeep Lade
          Jan 25 '18 at 11:07





          But its giving Verify return code: 0 (ok) so i believe TLS connection between client and server is OK

          – Sandeep Lade
          Jan 25 '18 at 11:07


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f419516%2fnot-able-to-connect-to-openldap-server-in-ldaps-mode-centos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Accessing regular linux commands in Huawei's Dopra Linux

          Can't connect RFCOMM socket: Host is down

          Kernel panic - not syncing: Fatal Exception in Interrupt