Hi,
ldapsearch with an ldaps-URL stopped working recently, probably with the
update from openssl 1.0.0 to openssl 1.0.1.
On a server with up-to-date packages (openssl-1.0.1e-16.el6_5.x86_64,
openldap-clients-2.4.23-32.el6_4.1.x86_64) I get the following errors
when issuing an ldapsearch (some parts anonymized):
[bad]# ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W
-b <searchbase> -d1 -s sub -v "uid=ME"
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/)
ldap_initialize( ldaps://ldap.domain.org:6636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.org:6636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:6636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
PKCS #11 error.
TLS: error: connect - force handshake failure: errno 0 - moznss error -12226
TLS: can't connect: TLS error -12226:SSL peer rejected a handshake
message for unacceptable content..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[bad]#
while on a system with slightly older OpenSSL package
(openssl-1.0.0-27.el6_4.2.x86_64, same openldap-clients package
version), I get the following error:
[good]# ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W
-b <searchbase> -d1 -s sub -v "uid=me"
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/)
ldap_initialize( ldaps://ldap.domain.org:6636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.org:6636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:6636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)'
certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory
/etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign
nv-sa,C=BE] is not valid - error -8172:Peer's certificate issuer has
been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[good]#
It /does/ see the certificate, even though it has a problem with it.
Since I know the LDAP server is trustable - despite the certificate
issue -, I can work around it with "TLS_REQCERT never" in
/etc/openldap/ldap.conf or by prefixing the ldapsearch line with
"LDAPTLS_REQCERT=never":
[good]# LDAPTLS_REQCERT=never ldapsearch -H
"ldaps://ldap.domain.org:6636/" -D <binddn> -x -W -b <searchbase> -d1 -s
sub -v "uid=me"
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/)
ldap_initialize( ldaps://ldap.domain.org:6636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.org:6636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:6636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)'
certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory
/etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign
nv-sa,C=BE] is not valid - error -8172:Peer's certificate issuer has
been marked as not trusted by the user..
TLS certificate verification: subject: CN=ldap.domain.org,OU=Domain
Control Validated,C=DE, issuer: CN=GlobalSign Domain Validation CA -
G2,O=GlobalSign nv-sa,C=BE, cipher: AES-256, security level: high,
secret key bits: 256, total key bits: 256, cache hits: 0, cache misses:
0, cache not reusable: 0
[... ldapsearch results here ...]
[good]#
If I do the same on the system with OpenSSL 1.0.1e, I get the same error
as w/o this setting.
It could be a problem with the OpenSSL 1.0.1 package - hopefully not -
or just a configuration issue. I just have no idea which one. Any
pointer is highly appreciated.
Cheers
frank