Hi
In ldap server(localhost) , I execute the below command , it ok. # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W
But in other linux system is not ok, below is the error info: # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause?
You have any Suggestions? Thanks.
Tian Zhiying
From: "Tian Zhiying" tianzy1225@thundersoft.com To: openldap-technical openldap-technical@openldap.org Cc: tianzy1225 tianzy1225@thundersoft.com Date: 09/26/2013 03:38 AM Subject: Other system use port 636 connect LDAP Server Error Sent by: openldap-technical-bounces@OpenLDAP.org
Hi
In ldap server(localhost) , I execute the below command , it ok. # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W
But in other linux system is not ok, below is the error info: # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause?
You have any Suggestions? Thanks.
Tian Zhiying -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 6C4D96009F0.A06A1 Is there a firewall between the two systems> That port could be blocked. Try doing a telnet to that IP on port 636.
telenet 192.168.1.10 636
Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
Hi Espeake
Thanks for your quick reply. There is no firewall between the two systems. Telnet 192.168.0.10 is ok, as follows: -------------------------------------------- # telnet 192.168.0.10 636 Trying 192.168.0.10... Connected to localhost (192.168.0.10). Escape character is '^]'. quit Connection closed by foreign host.
Actually, LDAP Server is used for other system, include mediawiki/redmine/gerrit... , now these systems are unable to use LDAPS certification. So, I use ldapsearch method to test it.
Tian Zhiying
From: espeake Date: 2013-09-26 18:42 To: tianzy1225 CC: openldap-technical; openldap-technical-bounces Subject: Re: Other system use port 636 connect LDAP Server Error
From: "Tian Zhiying" tianzy1225@thundersoft.com To: openldap-technical openldap-technical@openldap.org Cc: tianzy1225 tianzy1225@thundersoft.com Date: 09/26/2013 03:38 AM Subject: Other system use port 636 connect LDAP Server Error Sent by: openldap-technical-bounces@OpenLDAP.org
Hi
In ldap server(localhost) , I execute the below command , it ok. # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W
But in other linux system is not ok, below is the error info: # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause?
You have any Suggestions? Thanks.
Tian Zhiying -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 6C4D96009F0.A06A1 Is there a firewall between the two systems> That port could be blocked. Try doing a telnet to that IP on port 636.
telenet 192.168.1.10 636
Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS ?2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
On Thu, 26 Sep 2013, Tian Zhiying wrote:
# ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The ldapsearch(1) client on that host is unable to verify the certificate presented. See the ldap.conf(5) man page, focusing on the directives TLS_CA*.
Trying something like:
openssl s_client -connect 192.168.1.10:636 -CAfile /dev/null
and experimenting with appropriate values for "/dev/null" may be helpful.
--On Thursday, September 26, 2013 4:35 PM +0800 Tian Zhiying tianzy1225@thundersoft.com wrote:
# ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D # "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause?
The problem is a lack of understanding how SSL/TLS works. You requested a secure connection, you must use the hostname, not the IP address.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
On Thu, Sep 26, 2013 at 08:33:56AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, September 26, 2013 4:35 PM +0800 Tian Zhiying tianzy1225@thundersoft.com wrote:
# ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D # "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause?
The problem is a lack of understanding how SSL/TLS works. You requested a secure connection, you must use the hostname, not the IP address.
You can use an IP address, if that IP address is in the SAN (Subject Alternate Name) list of the certificate.
http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name...
'Verify' usually refers to the signer of the certificate not being trusted. 'Validation' usually refers to the date range of the certificate being correct.
http://www.openssl.org/docs/apps/verify.html
Mind you, this is me leveraging OpenSSL's vocabulary. There are other SSL providers that may be in play.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC
Zimbra :: the leader in open source messaging and collaboration
--On Thursday, September 26, 2013 1:33 PM -0400 Brian Reichert reichert@numachi.com wrote:
You can use an IP address, if that IP address is in the SAN (Subject Alternate Name) list of the certificate.
True. I don't think I've actually seen anyone do it though. ;)
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
On Thu, Sep 26, 2013 at 10:54:00AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, September 26, 2013 1:33 PM -0400 Brian Reichert reichert@numachi.com wrote:
You can use an IP address, if that IP address is in the SAN (Subject Alternate Name) list of the certificate.
True. I don't think I've actually seen anyone do it though. ;)
Regrettably, I have to support it. :/
And CAs are inconsistent of their treatment of the daat in the CSR, and some SSL client stacks (*cough, MS*) don't adhere to the standards, however nascent.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Aaron Richton -
Brian Reichert -
espeake@oreillyauto.com -
Quanah Gibson-Mount -
Tian Zhiying