Discussion:
ldapsearch over SSL can not bind
Matthias Apitz
2015-11-02 16:28:06 UTC
Permalink
Content preview: Hello, I'm trying to make from FreeBSD a LDAPsearch in some
Novell eDirectory with the following command: $ ldapsearch -Z -H ldaps://romega:1027
-b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX ldap_start_tls:
Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed (self signed certificate in certificate chain) ldap_sasl_bind(SIMPLE):
Can't contact LDAP server (-1) [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[178.254.4.101 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: unixarea.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]


Hello,

I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
with the following command:

$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The credentials are fine and are working without any problem, for
example from Windos clients (JXplore) or from a Java written client
running on my laptop.

Openssl can connect fine too.

Any ideas what could be wrong?

Btw: Someone here who managed to work JXplore in FreeBSD? There is an
installer for it which can not find libstdc++.so.4 on my system (I have
libstdc++.so.6).

Vy 73

matthias
--
Matthias Apitz, ✉ ***@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045
Dieter Klünter
2015-11-02 17:00:00 UTC
Permalink
Post by Matthias Apitz
Hello, > > I'm trying to make from FreeBSD a LDAPsearch in some Novell
eDirectory > with the following command: > > $ ldapsearch -Z -H ldaps://romega:1027
-b 'ou=person,o=uni' -D [...] [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: unixarea.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Mon, 2 Nov 2015 17:28:06 +0100
Post by Matthias Apitz
Hello,
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]

Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
edirectory does not support startTLS, so just omit -Z.

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Howard Chu
2015-11-02 17:14:18 UTC
Permalink
Content preview: Dieter Klünter wrote: > Am Mon, 2 Nov 2015 17:28:06 +0100
to make from FreeBSD a LDAPsearch in some Novell eDirectory >> with the following
command: >> >> $ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni'
-D > [...] > > Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
edirectory does not support startTLS, so just omit -Z. [...]
Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Cc: Matthias Apitz <***@unixarea.de>
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Dieter Klünter wrote: > Am Mon, 2 Nov 2015 17:28:06 +0100
to make from FreeBSD a LDAPsearch in some Novell eDirectory >> with the following
command: >> >> $ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni'
-D > [...] > > Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
edirectory does not support startTLS, so just omit -Z. [...]
Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Am Mon, 2 Nov 2015 17:28:06 +0100
Post by Matthias Apitz
Hello,
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]
Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
edirectory does not support startTLS, so just omit -Z.
No, that's not the problem. Note that with a single -Z, ldapsearch will
proceed even if the server doesn't support startTLS.

The problem here is that he hasn't configured the local LDAP clients to trust
the remote server's certificates.
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
The error message is quite explicit - "certificate verify failed" - this
obviously means that it started a TLS handshake, which obviously makes your
focus on -Z completely off base.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Michael Ströder
2015-11-02 21:00:59 UTC
Permalink
Post by Dieter Klünter
Am Mon, 2 Nov 2015 17:28:06 +0100
Post by Matthias Apitz
I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
$ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
[...]
Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
edirectory does not support startTLS, so just omit -Z.
Novell eDirectory *does* support StartTLS ext. op.
At least 8.7 and later I have tested some years ago.
Did not test earlier versions though.

Ciao, Michael.

Loading...