Hi,
I am using OpenLDAP as a client to connect to a 3rd party Oracle Internet Directory 10g.
After recent updates, I have been unable to successfully bind with the LDAP server. I believe this is an error with the SSL handshake because the following command will not negotiate an SSL protocol:
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
When I attempt to connect to the server using ldapsearch, I receive the following:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 error.. TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
Is there a way, either through the ldap.conf, an environment variable, or through the API, to ignore the TLS portion of the handshake? Am I mistaken and something else is wrong here?
Regards, Jon