terry.lemons@dell.com wrote:
I've followed the instructions in https://www.openldap.org/doc/admin26/quickstart.html to deploy openldap 2.6.4 on a SLES 15 SP4 system. Once I confirmed that this was working correctly, I moved on to configure TLS, following the instructions in https://www.openldap.org/doc/admin26/tls.html. When I try a connection to the LDAPS port (636), I see the following:
ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636
If you're going to use openssl s_client you also need to tell it which CA and/or server certs to trust. I'd start with using ldapsearch -d -1 instead.
CONNECTED(00000003) 139702302594704:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 293 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1683823897 Timeout : 300 (sec) Verify return code: 0 (ok)
The '0 bytes read' keeps bothering me.
Is there a firewall on the machine? Maybe a WAF with knowledge of ldap? If it was a regular firewall, the connection would not be setup. Things would fail immediately before the client tries the handshake.
A WAF might allow the connection to succeed, but then filter the response. That might explain the 0 bytes read.
Jeff