Re: ldapsearch over SSL can not bind
Dieter Klünter wrote:
Am Mon, 2 Nov 2015 17:28:06 +0100
schrieb Matthias Apitz <guru(a)unixarea.de>:
>
> Hello,
>
> I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
> with the following command:
>
> $ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]
Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
edirectory does not support startTLS, so just omit -Z.
No, that's not the problem. Note that with a single -Z, ldapsearch will
proceed even if the server doesn't support startTLS.
The problem here is that he hasn't configured the local LDAP clients to trust
the remote server's certificates.
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni'
-D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (self signed certificate in certificate chain)
The error message is quite explicit - "certificate verify failed" - this
obviously means that it started a TLS handshake, which obviously makes your
focus on -Z completely off base.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/