2

i want to try to connect to a TDS - Server via ldapsearch. First I have downloaded "OpenLDAP" but now with the command:

ldapsearch -H ldaps://myhostadress:636

i always get the following error:

ldap_sasl_interactive_bind_s: Can't contact LDAP serv
additional info: error:14090086:SSL routines:
:certificate verify failed (self signed certificate)

I attached to my command "-d1" for more information and got:

ldap_url_parse_ext(ldaps://xxx:636)
ldap_create
ldap_url_parse_ext(ldaps://xxxx:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxxxx:636
ldap_new_socket: 360
ldap_prepare_socket: 360
ldap_connect_to_host: Trying 9.xxxxxx:636
ldap_pvt_connect: fd: 360 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /O=org/OU=OrgUnit
Germany/CN=xxxxx, issuer: /O=org/OU=OrgUnit
Germany/CN=xxxx
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate).
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
    additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)

I think that has something to do with the ssl-certificate!? I have read some other threads with similar problems. After that i have asked my administrator for the ssl certificate and got a .pem file with following structure (it's just an extract):

-----BEGIN CERTIFICATE----
mcdp+Kh5Zd3YOttXbjemxIvwfRvPd/Ho4VtBsi5yJT5DSehL4L8ZN
DKaSL6BQ5MlQ1bsmQQ04PKNBrPKFFIiadi9QsFrUiNCQSKDLSKDSK
XbjemxIvwfRvPd/Ho4VtBsi5yJT5DSehL4L8ZNIUWEISNSDJKLSDJ
DKaUiNCXbjemxIvwfRvPdHo4VtBsi5yJT5DSSDKOSOÖDKJLSDJKSD
hL4L8ZNL6BQ5MlQ1bsmQQ04PKNBrPKFFIiadi9QsFrUiNCJKLSADN
.....................................................
.....................................................
-----END CERTIFICATE-----

What do i have to do now? The OpenLDAP folder for the certifcates is 

`C:\OpenLDAP-2.4.43\etc\certs

and the config file in ,

`C:\OpenLDAP-2.4.43\etc\openldap`

I have tried as explained in Performing ldapsearch over TLS/SSL against Active Directory and added to my ldap.conf

HOST hostxyz.com
PORT 636
TLS_CACERT \etc\certs\trustKey.cer     //  C:\OpenLDAP-2.4.43\etc\cert\trustKey.cer   ; .pem file changed into .cer file
TLS_REQCERT demand

and start the call with ldapmodify -H ldaps://hostxyz.com:636 But i always get the error mentioned.

Best Regards

InfoEngi
  • 303
  • 1
  • 10
  • 23
  • Possible duplicate of [ldapsearch over ssl/tls doesn't work](http://stackoverflow.com/questions/9468137/ldapsearch-over-ssl-tls-doesnt-work) – Andrew Henle Sep 16 '16 at 15:53
  • I have tried to adjust it, but it still doesn't work, so i have updated my question. – InfoEngi Sep 19 '16 at 07:52

1 Answers1

2

This work for me!

Add this to the file /etc/openldap/ldap.conf

TLS_REQCERT allow

Then restart the LDAP

systemctl restart slapd
systemctl enable slapd
Manh Duong
  • 21
  • 6