Re: OpenLDAP client and SSL handshaek

[Craig White <craig.white@ttiltd.com>]

On Mar 20, 2012, at 3:51 PM, Jon Dufresne wrote:

> Hi,
> 
> I am using OpenLDAP as a client to connect to a 3rd party Oracle
> Internet Directory 10g.
> 
> After recent updates, I have been unable to successfully bind with the
> LDAP server. I believe this is an error with the SSL handshake because
> the following command will not negotiate an SSL protocol:
> 
> $ openssl s_client -connect HOST:636
> ...
> Failure
> 
> While adding the -no_tls1 flag will:
> 
> $ openssl s_client -connect HOST:636 -no_tls1
> ...
> Success
> 
> When I attempt to connect to the server using ldapsearch, I receive the
> following:
> 
> $ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W
> ldap_url_parse_ext(ldaps://HOST:636)
> ldap_create
> ldap_url_parse_ext(ldaps://HOST:636/??base)
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP HOST:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying HOST_IP:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11
> error..
> TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate
> file - error -8018:Unknown PKCS #11 error..
> TLS: could perform TLS system initialization.
> TLS: error: could not initialize moznss security context - error
> -8018:Unknown PKCS #11 error.
> TLS: can't create ssl handle.
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> TLS: could not shutdown NSS - error -8053:NSS could not shutdown.
> Objects are still in use..
> 
> 
> Is there a way, either through the ldap.conf, an environment variable,
> or through the API, to ignore the TLS portion of the handshake? Am I
> mistaken and something else is wrong here?
----
with deference to the obvious security implications, does adding TLS_REQCERT allow to ldap.conf help?

Craig