Thanks erwann. But I am running ldap search with rootdn from ldap server only. Configured the certs file path I n config file of ldap.

It was working fine since past 1 week not sure what changes make it stopped working today. Tried reloading the ask certs again and reloaded the config file from slapd.conf but still issue exists.

Please suggest what could have caused this and how to fix it. Thanks again

Regards
Sam

Sent from my iPhone

On 11 Mar 2014, at 10:10 pm, Erwann Abalea <eabalea@gmail.com> wrote:

TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing

Self descriptive, I think. Your client doesn't know (trust) the root CA under which your server is certified. Therefore it can'n assert it's connecting to the genuine server, and prefers to abort the connection.

2014-03-11 14:23 GMT+01:00 Saurabh Ohri <sam_ohri@yahoo.co.in>:
Please help me what could cause this ?

Thanks a ton everyone 

Sent from my iPhone

On 11 Mar 2014, at 5:11 pm, saurabh ohri <sam_ohri@yahoo.co.in> wrote:

Hi All,

my ldapsearch and other things were working perfectly fine but not sure what happened now. Seem some SSL issue. When i am doing ldapsearch i am getting below error.

[root@xxx-xxx-xxx etc]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /usr/local/openldap/dit.ldif -H ldaps://xxx-xxx-xxx.example.com
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Logs error:

TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee  11r531ecbee
531ecbee daemon: read active on 11
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee connection_get(11)
531ecbee connection_get(11): got connid=1000
531ecbee connection_read(11): checking for input on id=1000
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 30                                              .0
TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
531ecbee connection_closing: readying conn=1000 sd=11 for close
531ecbee connection_close: conn=1000 sd=11
531ecbee daemon: removing 11
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
 
Please suggest.

Regards
Sam



--
Erwann.