Hi Dieter: Thanks for your quick reply. I have changed 'TLS_REQCERT try' and check the commonName of the host certificate, the common name is LDAP Server hostname "auth.server.com", the following is the query results: [root@auth cacerts]# openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/[email protected] verify error:num=18:self signed certificate verify return:1 depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/[email protected] verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
Now, the /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem #SSL ON TLS_REQCERT try But, run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I also get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11) Tian Zhiying From: DieterKlünter Date: 2013-10-23 17:35 To: openldap-technical CC: tianzy1225 Subject: Re: OpenLDAP 2.3.4 TLS negotiation failure Am Wed, 23 Oct 2013 16:47:25 +0800 schrieb "Tian Zhiying" <[email protected]>: > Hi > > On the LDAP Server , I run following command is ok: > #ldapsearch -x -H ldap://ldap.server.com -ZZ > #ldapsearch -x -H ldap://ldap.server.com > > But on my client , I run "#ldapsearch -x -H ldap://ldap.server.com";, > is ok; Run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I get the > following error: [root@client cacerts]# ldapsearch -x -H > ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11) > > On LDAP Server log file, I get the following error messages: > Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 ACCEPT from > IP=192.168.9.9:45648 (IP=0.0.0.0:389) Oct 23 16:41:25 auth > slapd[4213]: conn=206 op=0 STARTTLS Oct 23 16:41:25 auth slapd[4213]: > conn=206 op=0 RESULT oid= err=0 text= Oct 23 16:41:25 auth > slapd[4213]: conn=206 fd=24 closed (TLS negotiation failure) > > My client ldap configuration: > /etc/openldap/ldap.conf file: > URI ldap://ldap.server.com/ > BASE dc=server,dc=com > TLS_CACERT /etc/openldap/cacerts/ca.crt > SSL ON > TLS_REQCERT demand Set 'TLS_REQCERT try' and check the commonName of the host certificate. SSL ON is not an openldap configuration parameter. The /etc/ldap.conf file is not a openldap client configuration file, but of nss_ldap. > /etc/ldap.conf file: > BASE dc=server,dc=com > URI ldap://ldap.server.com > SSL ON > TLS_CACERT /etc/openldap/cacert/ca.crt > TLS_REQCERT demand > > Any suggestion what cause TLS negotiation failure? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
