[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch from server does not work but works from client

Hi all,

I have managed to install OpenLdap 2.4 on a RHEL 5.2 workstation. The basic openldap without TLS/SSL works fine. On the server itself and from the client I was able to do ldapsearch. However, after I created a server.pem by going through this : [url="" href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS]Quick">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS]Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Linux Home Networking[/url]
ldapsearch on the ldap server itself does not work anymore. The summary of the configuration is as below:

server.pem is created in /usr/local/etc/openldalp/cacerts and client.pem is in /etc/openldap/cacerts. client.pem is also moved to clients and ldapsearch works fine from client workstation. However, in the ldap server itself it does not. THe output of /etc/ldap.conf looks like below:

uri ldaps://syna-ldap-02.synamatix.com/
tls_cacertdir /etc/openldap/cacerts
pam_password md5

My /usr/local/etc/openldap/slapd.conf TLS portion looks like below:

TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile  /usr/local/etc/openldap/cacerts/server.pem
TLSCertificateFile      /usr/local/etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/server.pem
TLSVerifyClient          allow

The error from ldapsearch x -H ldaps://syna-ldap-02.synamatix.com -d127 in the server itself is as below:

TLS ceritficate verification: depth: 0, err: 18, subject: /C=MY/ST=KL/L=MV/O=MGRC/OU=IT/CN=syna-ldap-02.synamatix.com/emailAddress=seauyeen@mgrc.com.my, issuer: /C=MY/ST=KL/L=MV/O=MGRC/OU=IT/CN=syna-ldap-02.synamatix.com/emailAddress=seauyeen@mgrc.com.my
TLS certificate verification: Error, self signed certificate
tls_write: want=7, write=7
   0000: 15 03 01 00 02 02 30
TLS trace: SSL3 alert write:fata:unknown CA
TLS trace: SSL connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

On the server end, as I started with debug mode, I get errors below:
TLS trace: SSL3 alert read: fatal: unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: erro: 14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
connection_read(13): TLS accept failure error=-1 id=1010,closing

Why is that ldapsearch from client workstation works fine but not in the ldap server itself? It is osoo baffling. It is fine without TLS activated. I have been working on this for 1 week! The information online does not seem to cater to this weird incident of mine.

Hope to receive some assistance really soon. If you need files and attachments, please inform me. Thanks and Happy new year guys!!!!


 MGRC - Accelerating Your Journey of Discovery 
Su Seau Yeen
Assistant Manager IT Operations

Malaysian Genomics Resource Centre Berhad (MGRC)
T: +6 03 2283 1820 | F: +6 03 2282 8102 | M: +6 012 6784642 | www.mgrc.com.my

This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is strictly prohibited. If you receive this e-mail in error, please contact us immediately by return e-mail and delete the original message(s).