I am trying to set up PWM for my OpenLDAP server on Ubuntu 16.04, but it fails to connect to LDAP with error
Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=ldap.example.com, port=389 error: Remote host closed connection during handshake)
If I try to connect unencrypted, connection seems to be succesful, but setting up an account for PWM fails with TLS confidentiality required, which is intentional.
Authentication on clients and ldapsearch (with the switch -Z or -ZZ) work.
I have imported the certificate files to the clients and to Java on the server machine, as the certificate is self signed with openssl.
I tried to connect to LDAP with openssl s_client -connect ldap.example:389 -showcerts -state -tls1_2 to check the certificate, but the connection terminates with no error messages and this output:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:failed in unknown state
140394455615128:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1484029284
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Connection to port 443 outputs a certificate.
I quite honestly don't know what to do so any help would be appreciated.
Best Answer
389\TCP is not LDAP SSL port by default. Port 636\TCP commonly used for LDAP SSL (ldaps).
On the 389\TCP port can be enabled STARTTLS (
ldapsearchwith the switch-Zor-ZZuse it). I'm not sure that OpenSSL s_client is able to implement STARTTLS for LDAP protocol.