Hi - I'm using osixia/openldap docker container.
I've created self signed client and server certs.
I'm receiving the following error when trying to perform ldapsearch from the Arch linux docker host. Here is a summary of the error:
# ldapsearch -x -d1 -b 'dc=ldap,dc=gohilton,dc=com' -D "cn=admin,dc=ldap,dc=gohilton,dc=com" -H ldaps://127.0.0.1:636 -W -LLL d ldap_url_parse_ext(ldaps://127.0.0.1:636) ldap_create ldap_url_parse_ext(ldaps://127.0.0.1:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=CH/O=domain.com/CN=openldap/emailAddress=user@domain.com, issuer: /C=US/ST=IL/L=CH/O=domain.com/CN=Docker OpenLDAP CA/emailAddress=user@domain.com TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:SSLv3/TLS read server key exchange TLS trace: SSL_connect:SSLv3/TLS read server certificate request TLS trace: SSL_connect:SSLv3/TLS read server done TLS trace: SSL_connect:SSLv3/TLS write client certificate TLS trace: SSL_connect:SSLv3/TLS write client key exchange TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write finished TLS trace: SSL_connect:error in SSLv3/TLS write finished TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The server logs the error as the following: f7a7260 conn=1007 fd=12 ACCEPT from IP=172.18.0.1:34350 (IP=0.0.0.0:636) TLS: can't accept: No certificate was found.. 5f7a7260 conn=1007 fd=12 closed (TLS negotiation failure)
This error only occurs if on the server I use the following server setting: LDAP_TLS_VERIFY_CLIENT=try
Is this possibly a permissions issue? I've verified the chain of trust for client certificate upon creation. Both client and server certificates were signed with same user created CA.