Hi There,
I am using an ldap server created using unbounded ldap API (Java). And the server is started to support both ldap and ldaps. Sever uses java keystore (.jks) certificates namely 123keystore.jks and 456truststore.jks and some
789server.cer (all these files are protected by some passoword). The server is listening at port # 1636 for all ldaps connections.
I am able to connect to the server using (ldaps) some java ldap clients and able to bind and search successfully. But when I try to connect to the server using openldap client, it is NOT working, getting
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed error.
I get the below error when I try to do the search using ldaps://<ip>:1636
ldapsearch -w 'xxxxxx1234' -H ldaps://xx.xx.xx.xxx:1636 -b "o=person,o=hp" -D "id=xxxx89,o=person,o=hp"
[bea@devcg4sdmbl01 ldapsearch -w 'xxxxxx1234' -H ldaps://xx.xx.xx.xxx:1636 -b "o=person,o=hp" -D "id=xxxx89,o=person,o=hp"
ldap_create
ldap_url_parse_ext(ldaps://x.x.x.x:1636)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xx.x.xx.xx:1636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.59.164:1636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /C=xxx/ST=x/L=xxx/O=xxxx/OU=xxx/CN=xxx,
issuer: /C=xxx/ST=xxx/L=xxxx/O=xxxxx/OU=xxx/CN=xxxxx
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Here is my ldap.conf : located at /etc/openldap/ldap.conf
URI ldaps://x.x.x.x:1636/
BASE o=person,o=hp
HOST <IP>
PORT 1636
#TLS_CACERT /etc/openldap/cacerts/123keystore.jks // server is started using jks certificates for secure connections.. this is not working
TLS_CACERT /etc/openldap/cacerts/789server.cer // This didn’t work
# TLS_CACERT /etc/openldap/cacerts/789server.pem // I converted the cer to pem file.. But even this didn’t work
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT require
What is the correct configuration to make this work? Can I use the jks certificates in openldap client to connect to server which is using jks for ldaps connections? What is missing here? Pls help fix this issue.
Same openldap client works fine for non-secure and simple authentication ldap connections. The problem is only when I try to use ldaps from the client.
Thanks in advance. Let me know if you need more info.
Regards,
Sridhar Sontha