Hello,
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory with the following command:
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX ldap_start_tls: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The credentials are fine and are working without any problem, for example from Windos clients (JXplore) or from a Java written client running on my laptop.
Openssl can connect fine too.
Any ideas what could be wrong?
Btw: Someone here who managed to work JXplore in FreeBSD? There is an installer for it which can not find libstdc++.so.4 on my system (I have libstdc++.so.6).
Vy 73
matthias
Am Mon, 2 Nov 2015 17:28:06 +0100 schrieb Matthias Apitz guru@unixarea.de:
Hello,
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory with the following command:
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]
Quite obvious, you initiated startTLS AND ldaps. To my knowledge, edirectory does not support startTLS, so just omit -Z.
-Dieter
Dieter Klünter wrote:
Am Mon, 2 Nov 2015 17:28:06 +0100 schrieb Matthias Apitz guru@unixarea.de:
Hello,
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory with the following command:
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]
Quite obvious, you initiated startTLS AND ldaps. To my knowledge, edirectory does not support startTLS, so just omit -Z.
No, that's not the problem. Note that with a single -Z, ldapsearch will proceed even if the server doesn't support startTLS.
The problem here is that he hasn't configured the local LDAP clients to trust the remote server's certificates.
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX ldap_start_tls: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
The error message is quite explicit - "certificate verify failed" - this obviously means that it started a TLS handshake, which obviously makes your focus on -Z completely off base.
Dieter Klünter wrote:
Am Mon, 2 Nov 2015 17:28:06 +0100 schrieb Matthias Apitz guru@unixarea.de:
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory with the following command:
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]
Quite obvious, you initiated startTLS AND ldaps. To my knowledge, edirectory does not support startTLS, so just omit -Z.
Novell eDirectory *does* support StartTLS ext. op. At least 8.7 and later I have tested some years ago. Did not test earlier versions though.
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
Matthias Apitz -
Michael Ströder