Hi Howard
Thanks very much for the reply and the suggestion. Here is the output of a ldapsearch command that completes successfully when I omit '-H ldaps://ldpdd042.hop.lab.emc.com:636':
ldpdd042:~ # ldapsearch -d -1 -x -b 'dc=example,dc=com' '(objectclass=*)' -H ldaps://ldpdd042.hop.lab.emc.com:636 ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636) ldap_create ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldpdd042.hop.lab.emc.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.247.229.42:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=334, written=334 0000: 16 03 01 01 49 01 00 01 45 03 03 a2 85 24 0b ee ....I...E....$.. 0010: 8f 28 13 34 a4 e5 6a c3 48 50 69 d7 81 72 96 02 .(.4..j.HPi..r.. 0020: 7b 56 46 6a ec d0 f3 64 71 35 b2 20 fd 17 70 c9 {VFj...dq5. ..p. 0030: 15 23 3d 7c 31 66 99 84 f3 92 4b c7 a9 ab e2 f8 .#=|1f....K..... 0040: 5b b3 42 44 7e 91 f5 4b 9a 5b c9 b1 00 46 13 02 [.BD~..K.[...F.. 0050: 13 03 13 01 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b .....,.0.......+ 0060: c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 ./...#.'........ 0070: 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f .........=.<.5./ 0080: 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 ...........k.g.9 0090: 00 33 00 ff 01 00 00 b6 00 00 00 1d 00 1b 00 00 .3.............. 00a0: 18 6c 64 70 64 64 30 34 32 2e 68 6f 70 2e 6c 61 .ldpdd042.hop.la 00b0: 62 2e 65 6d 63 2e 63 6f 6d 00 0b 00 04 03 00 01 b.emc.com....... 00c0: 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 ................ 00d0: 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00 ..#............. 00e0: 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 0............... 00f0: 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 ................ 0100: 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06 ................ 0110: 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d ..+............- 0120: 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 49 ea .....3.&.$... I. 0130: 8c 2a c7 1e 18 82 13 d1 46 3d 46 b0 b7 2b bd b2 .*......F=F..+.. 0140: 6e 13 ec ab c5 fa 25 4d 4f cc 58 77 78 69 n.....%MO.Xwxi TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=0
TLS trace: SSL_connect:error in SSLv3/TLS write client hello TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ldpdd042:~ #
Here's what was written to /var/log/messages:
2023-05-11T16:04:32.584581-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12 ACCEPT from IP=10.247.229.42:47346 (IP=0.0.0.0:636) 2023-05-11T16:04:32.594205-04:00 ldpdd042 slapd[21376]: connection_get(12) 2023-05-11T16:04:32.594295-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12 closed (TLS negotiation failure)
I'm using a self-signed server certificate, so no CA should be involved. Not sure if that is causing the problem?
Thanks! tl