Hi
I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports. I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.
/ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://ldapserver")// //failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP server: Transport endpoint is not connected/
When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'
I get the following error
/TLS: certificate [//CA certificate details omitted here...] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //TLS: error: connect - force handshake failure: errno 0 - moznss error -8172// //TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //ldap_err2string// //ldap_start_tls: Connect error (-11)// // additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user/
Any help will be appreciated.
This is my slapd.conf file
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem TLSVerifyClient never database bdb suffix "dc=flamengro,dc=co,dc=za" checkpoint 1024 15 rootdn "cn=Manager,dc=flamengro,dc=co,dc=za" rootpw secret directory /var/lib/ldap/flamengro index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor # allow only rootdn to read the monitor access to * by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read by * none access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none
I
On 01/29/13 10:22 +0200, Chris wrote:
I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports. I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.
/ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://ldapserver")// //failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP server: Transport endpoint is not connected/
I don't understand why you are receiving this error while starting slapd. Where are you seeing this error?
What command line options are you starting slapd with?
When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'
I get the following error
/TLS: certificate [//CA certificate details omitted here...] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //TLS: error: connect - force handshake failure: errno 0 - moznss error -8172// //TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //ldap_err2string// //ldap_start_tls: Connect error (-11)// // additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user/
You have a certificate trust issue. In your above command, you are not specifying a hostname, which means that you're apparently using the hostname specified in your ldap.conf. Verify that's actually a hostname, and not an IP address. Check that the hostname matches the contents of your certificate, and that the certificate's signer is trusted by your moznss library (on your client).
Any help will be appreciated.
This is my slapd.conf file
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem TLSVerifyClient never database bdb suffix "dc=flamengro,dc=co,dc=za" checkpoint 1024 15 rootdn "cn=Manager,dc=flamengro,dc=co,dc=za" rootpw secret directory /var/lib/ldap/flamengro index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor # allow only rootdn to read the monitor access to * by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read by * none access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none
On 01/29/2013 01:22 AM, Chris wrote:
Hi
I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports. I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.
/ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://ldapserver")// //failed to bind to LDAP server ldap://ldapserver: Can't contact LDAP server: Transport endpoint is not connected/
When I do a ldapsearch -x -d1 -Z -b 'dc=flamengro,dc=co,dc=za'
I get the following error
/TLS: certificate [//CA certificate details omitted here...] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //TLS: error: connect - force handshake failure: errno 0 - moznss error -8172// //TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..// //ldap_err2string// //ldap_start_tls: Connect error (-11)// // additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user/
"Peer's certificate issuer has been marked as not trusted by the user" - this means the issuer (the CA) that issued the certificate of the server (the peer) is not trusted by the user (the ldapsearch client). This usually means you have not told ldapsearch (via ldap.conf or .ldaprc) about the CA cert of the the CA that issued the server cert.
Any help will be appreciated.
This is my slapd.conf file
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH TLSCertificateFile /etc/pki/tls/certs/slapdcert.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapdkey.pem TLSVerifyClient never database bdb suffix "dc=flamengro,dc=co,dc=za" checkpoint 1024 15 rootdn "cn=Manager,dc=flamengro,dc=co,dc=za" rootpw secret directory /var/lib/ldap/flamengro index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor # allow only rootdn to read the monitor access to * by dn.exact="cn=Manager,dc=flamengro,dc=co,dc=za" read by * none access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none
I
--On Tuesday, January 29, 2013 10:22 AM +0200 Chris chris@flamengro.co.za wrote:
Hi
I am running Openldap 2.4.23 on RHEL6. I can telnet to the server on both 389 636 ports. I can do a ldapsearch and ldapadd without any errors. I get this error when I start the slapd daemon.
In addition to the issue noted by Rich, I would note that you are using an ancient release with numerous known issues that is not suitable for a production LDAP server. I would strongly advise you to use a current OpenLDAP release. If you do not feel comfortable building OpenLDAP yourself, there are packages available at http://ltb-project.org/wiki/download#openldap that should meet your needs.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Chris -
Dan White -
Quanah Gibson-Mount -
Rich Megginson