[Date Prev][Date Next] [Chronological] [Thread] [Top]

Remote client can't query LDAP server by SASL EXTERNAL/TLS with cert.

Hi all,
    I met a problem.
 (system-- server machine:redhat linux 7.3,OpenLDAP2.1.8,
           client machine:redhat linux7.2,OpenLDAP2.1.8
    I installed and configured my LDAP server "A" with TLS support,and created my own root CA cert/key with openssl.
    With the root CA,I signed the LDAP server's and two users' certs,and in the server's cert,"CN=SERVER_FQDN".One user is on the server machine, named "aa",the other,named "bb", is on a remote machine "B".

On ldap server A,start the LDAP server(monitoring the messages occuring):
$slapd -h "ldap:/// ldaps:///" -d 128
The user "aa" on server can query LDAP by SASL EXTERNAL/TLS with the following commands and get correct results.
$ldapsearch -H "ldaps://ldap_server_FQDN" -b "o=MyTest,c=CN" -Y EXTERNAL
$ ldapsearch -H "ldap://ldap_server_FQDN"; -b "o=MyTest,c=CN" -Y EXTERNAL -ZZ
On remote machine B,the user "bb" can't get any result from LDAP server with the same commands:
in port 636
$ldapsearch -H "ldaps://ldap_server_FQDN" -b "o=MyTest,c=CN" -Y EXTERNAL
ldap_sasl_interactive_bind_s: Can't contact LDAP server
(return no message any more,and ldap server has no any conresponding message)

in port 389
$ ldapsearch -H "ldap://ldap_server_FQDN"; -b "o=MyTest,c=CN" -Y EXTERNAL -ZZ
ldap_start_tls: Success
(it returns no more message ,but ldap server has conresponding message:
 ber_flush: 14 bytes to sd 15

I don't know why user "bb" can not query the server like the user "aa".
The attachments are the configuration files on the two machines and user "bb"'s .ldaprc file.

Thanks in advance for any help or hints:-)

Zhang Fei

R&D of SDB Department

Attachment: server_sldap.conf
Description: Binary data

Attachment: client_remote_B_ldap.conf
Description: Binary data

Attachment: server_ldap.conf
Description: Binary data

Attachment: client_bb_ldaprc.TXT
Description: Binary data