I setup LDAPS (yes, will be switching to ldap + StartTLS) and ran intosomething odd and I'm really just looking for a bit of context. Everything is working correctlyand I'm able to authenticate clients to the ldap server, however when I runthe following ldapsearch I get an error:
jschaeffer@zipmaster07:~$ ldapsearch -LLL -v -D cn=admin,dc=harmonywave,dc=com -W -H ldaps://baneling -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com ldap_initialize( ldaps://baneling:636/??base ) Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
And from the debug output:
531c7c0a ber_get_next on fd 12 failed errno=0 (Success) 531c7c0a conn=1000 op=1 do_unbind 531c7c0a connection_close: conn=1000 sd=12 531c7c18 slap_listener_activate(6): 531c7c18 >>> slap_listener(ldaps:///) 531c7c18 connection_get(12): got connid=1001 531c7c18 connection_read(12): checking for input on id=1001 531c7c18 connection_get(12): got connid=1001 531c7c18 connection_read(12): checking for input on id=1001 531c7c18 connection_read(12): unable to get TLS client DN, error=49 id=1001 531c7c18 connection_get(12): got connid=1001 531c7c18 connection_read(12): checking for input on id=1001 ber_get_next 531c7c18 ber_get_next on fd 12 failed errno=0 (Success) 531c7c18 connection_close: conn=1001 sd=12
If I use the FQDN for the URI then everything works fine and I get results. I know DNS is working correctly, I can ping the server name and it returns the FQDN and reverse DNS resolution also works. The hostname and hostname -f commands work correctly on both client and server.
Was it never intended for ldap commands to resolve server names to their FQDN? I'm also assuming that ldap + StartTLS would show the same behavior.
Joshua Schaeffer wrote:
when I runthe following ldapsearch I get an error:
jschaeffer@zipmaster07:~$ ldapsearch -LLL -v -D cn=admin,dc=harmonywave,dc=com -W -H ldaps://baneling -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com ldap_initialize( ldaps://baneling:636/??base ) Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
If I use the FQDN for the URI then everything works fine and I get results.
That's because of the TLS hostname check which checks against the server's certificate.
=> always use FQDN with TLS
Ciao, Michael.
openldap-technical@openldap.org