I am using a Centos 6.6 and i'm trying to use ldapsearch to connect to my windows ad server and i can't connect using port 636.
I exported the CA root certificate of my ad server in base64 and added it into the ldap cert directory (a.cer)
my /etc/openldap/ldap.conf
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
PORT 636
TLS_REQCERT demand
TLS_CERT /etc/openldap/certs/a.cer
TLS_CACERTDIR /etc/openldap/certs
when i try to connect with ldaps :
ldapsearch -x -H 'ldaps://myadserv.intranet.mydom.com' -D 'userx' -W sAMAccountName=userx -b "dc=intranet,dc=mydom,dc=com" 'uid=user' -d1
ldap_url_parse_ext(ldaps://myadserv.intranet.mydom.com)
ldap_create
ldap_url_parse_ext(ldaps://myadserv.intranet.mydom.com:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myadserv.intranet.mydom.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.32.20.24:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=myadserv.intranet.mydom.com] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 22 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldapsearch with port 389 is working:
ldapsearch -h myadserv.intranet.mydom.com -p 389 -D userx -w 'password' -b "dc=intranet,dc=mydom,dc=com" 'uid=user'
# extended LDIF
#
# LDAPv3
# base <dc=intranet,dc=mydom,dc=com> with scope subtree
# filter: uid=user
# requesting: ALL
#
# search reference
ref: ldap://ForestDnsZones.intranet.mydom.com/DC=ForestDnsZones,DC=intran
et,DC=mydom,DC=com
# search reference
ref: ldap://DomainDnsZones.intranet.mydom.com/DC=DomainDnsZones,DC=intran
et,DC=mydom,DC=com
# search reference
ref: ldap://intranet.mydom.com/CN=Configuration,DC=intranet,DC=mydom
,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3
I must have done something wrong with the certificate, help would be much appreciated.
Please let me know if i forgot something and if you want me to add more informations
Best Answer
centos 6 has a wonderful system for trusting CAs, shared system certificates
Place the CA cert in pem format in /etc/pki/ca-trust/source/anchors/, run
update-ca-trust && update-ca-trust enable
The beauty of this tool is that it generates openssl, java and nss stores.
So if your CA certificate is correct, it will work (at $work we deploy our trusted CA certs like this).
This blog has quite a nice writeup about it.