ldapsearch from server does not work but works from client - openldap-technical

30 Dec 2010

      Hi all,
I have managed to install OpenLdap 2.4 on a RHEL 5.2 workstation. The basic
openldap without TLS/SSL works fine. On the server itself and from the
client I was able to do ldapsearch. However, after I created a server.pem by
going through this : [url=
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centr...
: Ch31 : Centralized Logins Using LDAP and RADIUS - Linux Home
Networking[/url]
ldapsearch on the ldap server itself does not work anymore. The summary of
the configuration is as below:
server.pem is created in /usr/local/etc/openldalp/cacerts and client.pem is
in /etc/openldap/cacerts. client.pem is also moved to clients and ldapsearch
works fine from client workstation. However, in the ldap server itself it
does not. THe output of /etc/ldap.conf looks like below:
uri ldaps://syna-ldap-02.synamatix.com/
tls_cacertdir /etc/openldap/cacerts
pam_password md5
My /usr/local/etc/openldap/slapd.conf TLS portion looks like below:
TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile  /usr/local/etc/openldap/cacerts/server.pem
TLSCertificateFile      /usr/local/etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/server.pem
TLSVerifyClient          allow
The error from ldapsearch x -H ldaps://syna-ldap-02.synamatix.com -d127 in
the server itself is as below:
TLS ceritficate verification: depth: 0, err: 18, subject:
/C=MY/ST=KL/L=MV/O=MGRC/OU=IT/CN=
syna-ldap-02.synamatix.com/emailAddress=seauyeen@mgrc.com.my, issuer:
/C=MY/ST=KL/L=MV/O=MGRC/OU=IT/CN=
syna-ldap-02.synamatix.com/emailAddress=seauyeen@mgrc.com.my
TLS certificate verification: Error, self signed certificate
tls_write: want=7, write=7
   0000: 15 03 01 00 02 02 30
TLS trace: SSL3 alert write:fata:unknown CA
TLS trace: SSL connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed
certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On the server end, as I started with debug mode, I get errors below:
TLS trace: SSL3 alert read: fatal: unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: erro: 14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
connection_read(13): TLS accept failure error=-1 id=1010,closing
.....
Why is that ldapsearch from client workstation works fine but not in the
ldap server itself? It is osoo baffling. It is fine without TLS activated. I
have been working on this for 1 week! The information online does not seem
to cater to this weird incident of mine.
Hope to receive some assistance really soon. If you need files and
attachments, please inform me. Thanks and Happy new year guys!!!!
-- 

   ------------------------------
    MGRC - Accelerating Your Journey of Discovery
       *Su Seau Yeen
Assistant Manager IT Operations
* * *
     *Malaysian Genomics Resource Centre Berhad (MGRC)*
T: +6 03 2283 1820 | F: +6 03 2282 8102 | M: +6 012 6784642 |
www.mgrc.com.my
   ------------------------------

  This e-mail is intended only for the use of the individual or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of or
taking of any action in reliance upon this information by persons or
entities other than the intended recipient, is strictly prohibited. If you
receive this e-mail in error, please contact us immediately by return e-mail
and delete the original message(s).