ldap_start_tls: Connect error (-11)

Hi All,

I am currently using ldapsearch command that is not secure (or using a non-secure port). Here’s the format of ldapsearch which I am using (and it's currently working):

ldapsearch -x -h $ldapHostname -D $userName -w $pswd -b $srchBase -s sub $fltr $attrList

 

But I am not able to run ldapsearch securely. For ex, below is the format which is the format which I am trying to run:

ldapsearch -x -ZZ -h "<<LDAPHostName>>" -D "<<BindDN>>" -w "<<Password>>" -b "<<SearchBase>>" -s sub $fltr $attrList

But getting below error for the same:

ldap_start_tls: Connect error (-11)

        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

Or:

ldapsearch -x -ZZ -H "<<LDAPHostName:Portnumber>>" -D "<<BindDN>>" -w "<<password>>" -b "<<SearchBase>>" -s sub $fltr $attrList

 

But getting Error as:

ldap_start_tls: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).

 

It looks like the issue is related to missing certificate.

Please suggest on the same.

  • You need to setup the trust store used by ldapsearch to include the root CA certificate for the server you are connecting to.

    See man ldap.conf for the TLS_* options.

  • The appropriate way would be to follow Norbert's suggestion. As a quickshot (e.g. in a lab environment) you'll likely succeed by placing

    TLS_REQCERT allow

    in your ldap.conf.

     

  • Hi Mathias,

    Thank you for the suggestion,
    Under the path: /etc/openldap/ldap.conf I can see:

    # Turning this off breaks GSSAPI used with krb5 when rdns = false
    SASL_NOCANON on
    #TLS_REQCERT allow

    So I have removed the hash in front of TLS_REQCERT and make it:
    TLS_REQCERT allow

    But still I am getting the same error. Can you please suggest.
  • Hi Norbert,

    Thank you for the suggestion.

    Are you suggesting that I should create CA cert from iManager and should put the same in the Java truststore path or some other path.
    Please correct me if I am wrong or kindly suggest if I need to do something else.

    Thanks
  • Do you really see this one?

    additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).

    What exactly do you specify with the "-H" parameter? If you would have something like "ldaps://xx.xx.xx.xx:636" it would likely fail in conjunction with the "-ZZ" statement as SSL and STARTTLS wouldn't work together.

    You can also try

    TLS_REQCERT never

    and

    TLS_CHECKPEER no

    Which OS are you running?

     

  • Hi Mathias,

    Here's the command that I have tried to run and gets error:

    Command 1:

    ldapsearch -x -H "ldaps://<<Hostname>>:636" -D "<<Bind DN>>" -w "<<Password>>" -b "<<Search base>>" -s sub DN

    Getting Error as:

    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    Command 2:

    ldapsearch -x -ZZ -h "<<Host IP>>" -D "<<Bind DN>>" -w "<<Password>>" -b "<<Search base>>" -s sub DN

    Getting error as:
    ldap_start_tls: Connect error (-11)
    additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

    I have also tried :

    TLS_REQCERT never and TLS_CHECKPEER no  but still got the same issue

     

    OS: Red Hat Enterprise Linux Server release 7.4 (Maipo)

     

    Can you kindly suggest for the same.

     

     

  • See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-shared-system-certificates for how to manage trusted certicates in RHEL.

    Also check if the hostname you are connecting to matches the one in the server certificate. Add a "-d 1" to your ldapsearch call.

  • Is eDir running on the same box you're running the ldapseach command from?

    While i don't work too much much with RedHat  i remember an issue (years ago) where settings such as TLS_REQCERT were simply ignored if the cert paths didn't exist. So you might want to check from a box with a different OS.

    I've also seen an instance were the "searching" user didn't have rights to read ldap.conf (which should be world-readable but wasn't in this case.

    You can always specify variables on the command line such as

    LDAPTLS_REQCERT=never ldapsearch -x -ZZ -H ldap://10.xx........

    Note the preceeding "LDAP" which makes the configfile variable "TLS_REQCERT" become "LDAPTLS_REQCERT" on the command line.

     

     

  • Add '-d 5' to your ldapsearch command and report back with the full output.

  • Hi John,

     

    Sorry for the late reply. Here's the output:

    ldapsearch -x -d 5 -ZZ -h "$ldapHostname" -D "cn=SVCDSCRIPT,ou=services,o=vale" -b "$srchBase" -w $pswd -s sub DN
    ldap_create
    ldap_url_parse_ext(ldap://10.**.**.21)
    ldap_extended_operation_s
    ldap_extended_operation
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP 10.**.**.21:389
    ldap_new_socket: 3
    ldap_prepare_socket: 3
    ldap_connect_to_host: Trying 10.**.**.21:389
    ldap_pvt_connect: fd: 3 tm: -1 async: 0
    attempting to connect:
    connect success
    ldap_open_defconn: successful
    ldap_send_server_request
    ber_scanf fmt ({it) ber:
    ber_scanf fmt ({) ber:
    ber_flush2: 31 bytes to sd 3
    ldap_result ld 0xd19560 msgid 1
    wait4msg ld 0xd19560 msgid 1 (infinite timeout)
    wait4msg continue ld 0xd19560 msgid 1 all 1
    ** ld 0xd19560 Connections:
    * host: 10.**.**.21 port: 389 (default)
    refcnt: 2 status: Connected
    last used: Fri Jan 31 03:06:01 2020


    ** ld 0xd19560 Outstanding Requests:
    * msgid 1, origid 1, status InProgress
    outstanding referrals 0, parent count 0
    ld 0xd19560 request count 1 (abandoned 0)
    ** ld 0xd19560 Response Queue:
    Empty
    ld 0xd19560 response count 0
    ldap_chkResponseList ld 0xd19560 msgid 1 all 1
    ldap_chkResponseList returns ld 0xd19560 NULL
    ldap_int_select
    read1msg: ld 0xd19560 msgid 1 all 1
    ber_get_next
    ber_get_next: tag 0x30 len 36 contents:
    read1msg: ld 0xd19560 msgid 1 message type extended-result
    ber_scanf fmt ({eAA) ber:
    read1msg: ld 0xd19560 0 new referrals
    read1msg: mark request completed, ld 0xd19560 msgid 1
    request done: ld 0xd19560 msgid 1
    res_errno: 0, res_error: <>, res_matched: <>
    ldap_free_request (origid 1, msgid 1)
    ldap_parse_extended_result
    ber_scanf fmt ({eAA) ber:
    ber_scanf fmt (a) ber:
    ldap_parse_result
    ber_scanf fmt ({iAA) ber:
    ber_scanf fmt (x) ber:
    ber_scanf fmt (}) ber:
    ldap_msgfree
    TLS trace: SSL_connect:before/connect initialization
    TLS trace: SSL_connect:SSLv2/v3 write client hello A
    TLS trace: SSL_connect:SSLv3 read server hello A
    TLS certificate verification: depth: 1, err: 2, subject: /OU=Organizational CA/O=IDV-IAM-DEV, issuer: /O=NICI Licensed CA/CN=NICI Machine-Unique CA 11FFAD9D-6CD8DEF0B269084E6A2365D92539F144
    TLS certificate verification: Error, unable to get issuer certificate
    TLS trace: SSL3 alert write:fatal:unknown CA
    TLS trace: SSL_connect:error in error
    TLS trace: SSL_connect:error in error
    TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).
    ldap_err2string
    ldap_start_tls: Connect error (-11)
    additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)
    ldap_free_connection 1 1
    ldap_send_unbind
    ber_flush2: 7 bytes to sd 3
    ldap_free_connection: actually freed

     

    Can you please suggest on the same.

     

    Regards,

    Mudit Gupta