Dear Buchan,
Thanks for helping me.
Here is what I tried and it worked.
During certificate creation, I used ip address instead of hostname.
That is why output of following command shows Ip address i.e.
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
Everything worked properly, when I tried following command:
$ ldapsearch -x -H ldaps:// -b "dc=my-domain, dc=com"
However, this is one option.
I dont know why it is failing for other option i.e.
1. ldap_init
2. set ldap options
3. start_tls
All this is done in C program.
The error says Can't contact to Ldap server.

On 1/17/08, Buchan Milne <> wrote:
On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
> Problem Definition:
> I have following sets of files on a linux host where my server is running.
> Again, I am trying ldapsearch command on same linux machine.
> *Certificate files on Server machine:*
> ls -l /etc/openldap/CERTS/
> -rwxrwxrwx    1 root     root         1265 Jan 16 18:04 cacert.pem
> -rwxrwxrwx    1 root     root         3604 Jan 16 18:05 servercrt.pem
> -rwxrwxrwx    1 root     root         1664 Jan 16 18:05 serverkey.pem
> --------------------------------------------------------------
> *cat ldap.conf: */etc/openldap/ldap.conf**

You can save typing by setting this, or URI, correctly.

> PORT 636

This isn't going to do much for you ^^^. You may rather want to set URI.
Please see the man page ('man ldap.conf').

> TLS_CACERTDIR /etc/openldap/CERTS/
> TLS_CACERT /etc/openldap/CERTS/cacert.pem

I would recommend you use only one of the above two options, to reduce

> TLS_REQCERT demand
> BASE dc=example,dc=com


> TLSCACertificateFile /etc/openldap/CERTS/cacert.pem
> TLSCertificateFile /etc/openldap/CERTS/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem


> database        ldbm

Bad idea ^^^.

> suffix          "dc=my-domain,dc=com"
> rootdn          "cn=Manager,dc=my-domain,dc=com"
> directory       /var/lib/ldap
> index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> index   cn,mail,surname,givenname                       eq,subinitial


> *Started ldap server with:*
> 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
> 2. netstat shows that server is listening on port 636
> netstat -antp | grep slapd
> tcp        0      0   *               LISTEN
> 14512/slapd
> When I executed follwing command on same server machine (linux host):
> ldapsearch -ZZ "CERTS/cacert.pem" -h -p 636 -b
> "dc=my-domain,dc=com" -d 127

1)Under your current configuration, this requires that the server has a
certificate with the subject's CN=, or that this IP is in the
subjAltName extension on the certificate. If, instead, there is a hostname as
the CN, then you should use the hostname wherever you want to specify a
connection, and ensure your name resolution takes care of connecting to the
correct IP address.

Please show the output from:

$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem

It should match whatever you use after -h or -H ldaps://

2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead use
an ldaps URI (-H ldaps://name.on.cert).

3)"CERTS/cacert.pem" must be removed, you can't specify and certificate
filenames via commandline options.

> It gave error logs as below:
> #ldapsearch -ZZ "CERTS/cacert.pem" -h -p 636 -b
> "dc=my-domain,dc=com" -d 127*
> *ldap_start_tls: Can't contact LDAP server*

This is the correct behaviour ...

> *TRIAL 2*
> *Start server with start_ssl*
> 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &


There should be no *start_ssl* in your commandline. If slapd has been
configured with SSL certificates correctly, starting it up without any
specific options will enable START_TLS.

> Here netstat shows that server is listening on 389 and not 636
> # netstat -antp | grep slapd
> tcp        0      0   *               LISTEN
> 14529/slapd

You can have both in fact ... but listening on 389 does not confirm the
START_TLS is configured correctly.

> When executed following command on same linux host (where server is
> running)
> 2. #ldapsearch -Z "CERTS/cacert.pem" -h -p 389 -b
> "dc=my-domain,dc=com" -d 5

1)Same issue as above with certificate's subjectDN and hostname etc.
2)Same issue regarding "CERTS/cacert.pem".

> *ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN*
> *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN*
> *ldap_perror*
> *ldap_sasl_interactive_bind_s: Local error*
> *[root@tb01-03-dp02 openldap]# ldaps*

You forgot -x.