Hi All,

I am trying to debug an issue related to Chef-manage WebUI trying to authenticate users using LDAP. Authentication was working fine but after upgrading the LDAP server to the latest version of the OS we are getting authentication failures below are the errors showing in the log

Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14)
Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14): got connid=1003
Jul 13 20:26:52 ldap.local slapd[18572]: connection_read(14): checking for input on id=1003
Jul 13 20:26:52 ldap.local slapd[18572]: op tag 0x77, time 1657744012
Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 do_extended
Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jul 13 20:26:52 ldap.local slapd[18572]: do_extended: oid=1.3.6.1.4.1.1466.20037
Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 STARTTLS
Jul 13 20:26:52 ldap.local slapd[18572]: send_ldap_extended: err=0 oid= len=0
Jul 13 20:26:52 ldap.local slapd[18572]: send_ldap_response: msgid=0 tag=120 err=0
Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 op=0 RESULT oid= err=0 text=
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on 1 descriptor
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on:
Jul 13 20:26:52 ldap.local slapd[18572]:
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on 1 descriptor
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on:
Jul 13 20:26:52 ldap.local slapd[18572]: 14r
Jul 13 20:26:52 ldap.local slapd[18572]:
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: read active on 14
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: epoll: listen=11 active_threads=0 tvp=NULL
Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14)
Jul 13 20:26:52 ldap.local slapd[18572]: connection_get(14): got connid=1003
Jul 13 20:26:52 ldap.local slapd[18572]: connection_read(14): checking for input on id=1003
Jul 13 20:26:52 ldap.local slapd[18572]: connection_read(14): TLS accept failure error=-1 id=1003, closing
Jul 13 20:26:52 ldap.local slapd[18572]: connection_closing: readying conn=1003 sd=14 for close
Jul 13 20:26:52 ldap.local slapd[18572]: connection_close: conn=1003 sd=14
Jul 13 20:26:52 ldap.local slapd[18572]: =>ldap_back_conn_destroy: fetching conn 1003
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: removing 14
Jul 13 20:26:52 ldap.local slapd[18572]: conn=1003 fd=14 closed (TLS negotiation failure)
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on 1 descriptor
Jul 13 20:26:52 ldap.local slapd[18572]: daemon: activity on::

We are not seeing the error while connecting to OpenLDAP servers using OpenSSL or LDAP client tools. How can we debug further to see why the server was not able to complete TLS negotiation?

Package versions are

openldap-2.4.44-25.el7_9.x86_64

openssl-1.0.2k-25.el7_9.x86_64

kernel-3.10.0-1160.66.1.el7.x86_64

Regards,

Aravind M D