We cannot connect to TLS/SSL ldaps using openldap's built-in tools

Fri, 13 Oct 2023 07:16:02 -0700 

Hello developers,

Can you help me see how to solve this problem


We are working with the client that comes with openldap and cannot connect to 
TLS/SSL ldaps,But I was able to access it using ldap:389



The server configuration information is as follows:

Linux System version:Ubuntu 22.04.3 LTS
OpenLDAP version:2.6.6
openssl version:OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)


The slapd.ldif certificate is configured as follows:

olcTLSCACertificateFile: 
/usr/local/openldap-2.6.6/cert/demoCA/newcerts/cacert.pem
olcTLSCertificateFile: 
/usr/local/openldap-2.6.6/cert/demoCA/newcerts/slapd01-server.pem
olcTLSCertificateKeyFile: 
/usr/local/openldap-2.6.6/cert/demoCA/private/slapd01-server-key.pem


The server startup information is as follows:

slapd -4 -F /usr/local/openldap-2.6.6/etc/openldap/slapd.d -h ldap:/// 
ldaps:/// ldapi:///


Configure the ldap.conf certificate on the client as follows:

TLS_CACERT      /usr/local/openldap-2.6.6/cert/demoCA/newcerts/


#######################################################################################################

Server local test failed:

ldapwhoami -H ldaps://slapd.zxactions.com -d 1  

The failure information is as follows:

root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# ldapwhoami -H 
ldaps://slapd.zxactions.com -d 1 
ldap_url_parse_ext(ldaps://slapd.zxactions.com)
ldap_create
ldap_url_parse_ext(ldaps://slapd.zxactions.com:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP slapd.zxactions.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.174.128:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:0A000410:SSL routines::sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
        additional info: error:0A000410:SSL routines::sslv3 alert handshake 
failure


#######################################################################################################

Failed to use the openssl tool:

openssl s_client -connect slapd.zxactions.com:636 -debug

The failure information is as follows:

root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# openssl s_client 
-connect slapd.zxactions.com:636 -debug
CONNECTED(00000003)
write to 0x556ccbdb5c40 [0x556ccbdc5b30] (321 bytes => 321 (0x141))
0000 - 16 03 01 01 3c 01 00 01-38 03 03 1a eb eb eb ad   ....<...8.......
0010 - 52 f0 12 36 b2 cd ad 9c-6f c9 de 67 54 13 e3 47   R..6....o..gT..G
0020 - 23 ac 44 5c d9 51 2f d4-a5 0b cf 20 e6 f9 c1 6c   #.D\.Q/.... ...l
0030 - e5 ce 18 9c ea f1 d6 67-a2 1f 71 3c 78 d4 c6 fb   .......g..q<x...
0040 - 25 23 98 bd 38 90 1f 8c-13 94 b1 00 00 3e 13 02   %#..8........>..
0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa   .....,.0........
0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27   .+./...$.(.k.#.'
0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d   .g.....9.....3..
0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b1   ...=.<.5./......
0090 - 00 00 00 18 00 16 00 00-13 73 6c 61 70 64 2e 7a   .........slapd.z
00a0 - 78 61 63 74 69 6f 6e 73-2e 63 6f 6d 00 0b 00 04   xactions.com....
00b0 - 03 00 01 02 00 0a 00 16-00 14 00 1d 00 17 00 1e   ................
00c0 - 00 19 00 18 01 00 01 01-01 02 01 03 01 04 00 23   ...............#
00d0 - 00 00 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28   .............*.(
00e0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b   ................
00f0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01   ................
0100 - 03 02 04 02 05 02 06 02-00 2b 00 05 04 03 04 03   .........+......
0110 - 03 00 2d 00 02 01 01 00-33 00 26 00 24 00 1d 00   ..-.....3.&.$...
0120 - 20 92 75 81 9c 09 28 95-68 b4 eb b1 9e 2c d5 9b    .u...(.h....,..
0130 - e3 99 13 36 68 87 b5 72-4d d6 3e 60 0f 47 50 db   ...6h..rM.>`.GP.
0140 - 15                                                .
read from 0x556ccbdb5c40 [0x556ccbdbc913] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x556ccbdb5c40 [0x556ccbdbc918] (2 bytes => 2 (0x2))
0000 - 02 28                                             .(
800B77514E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert 
handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x556ccbdb5c40 [0x556ccbd0d650] (8192 bytes => 0)


*************************************************************************************************************************************

I can access it using ldap:389

root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# ldapsearch -x -D 
"cn=Manager,dc=my-domain,dc=com" -H ldap://slapd.zxactions.com -w 123456 -b 
"dc=my-domain,dc=com" -d 256 
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# my-domain.com
dn: dc=my-domain,dc=com
dc: my-domain
o: www.zxactions.com
objectClass: dcObject
objectClass: organization

# copy of my-domain, my-domain.com
dn: ou=copy of my-domain,dc=my-domain,dc=com
ou: copy of my-domain
objectClass: top
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Reply via email to