I'm trying to do a ldapsearch like this :
ldapsearch -x -D "uid=username,ou=people,dc=example" -w passw0rd -H ldaps://example.com "(objectClass=example)"
But it's giving me this error :
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
And with a debug, it's :
ldap_url_parse_ext(ldaps://example.com)
ldap_create
ldap_url_parse_ext(ldaps://example.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying X.X.X.X:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I thought it was a problem with the SSL connection. But no, because this command succeed :
openssl s_client -connect example.com:636
So I don't know where the problem is…
For more informations, I'm in a container (Docker) with an Ubuntu image and my configuration for LDAP is :
BASE dc=example
URI ldaps://example.com
TLS_REQCERT demand
TLS_CACERT /etc/ldap/certificates/CA-cert.pem
Best Answer
you could set in /etc/ldap.conf
TLS_REQCERT allow
which, as you will suspect, will not die on unknown certificate authorities. Take a look at man ldap.conf
Once you have verified that ldapsearch is working, then the right thing to do would be to get a copy of the CA root certificate and import in in your ubuntu system store.
Apparently this is done like shown in : this super user question
Or you could just ignore it and get on with what you were doing without verifying the certificate, but you should try to verify it if at all possible.