Highlighted
mudit_gupta Trusted Contributor.
Trusted Contributor.
281 views

ldap_start_tls: Connect error (-11)

Hi All,

I am currently using ldapsearch command that is not secure (or using a non-secure port). Here’s the format of ldapsearch which I am using (and it's currently working):

ldapsearch -x -h $ldapHostname -D $userName -w $pswd -b $srchBase -s sub $fltr $attrList

 

But I am not able to run ldapsearch securely. For ex, below is the format which is the format which I am trying to run:

ldapsearch -x -ZZ -h "<<LDAPHostName>>" -D "<<BindDN>>" -w "<<Password>>" -b "<<SearchBase>>" -s sub $fltr $attrList

But getting below error for the same:

ldap_start_tls: Connect error (-11)

        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

Or:

ldapsearch -x -ZZ -H "<<LDAPHostName:Portnumber>>" -D "<<BindDN>>" -w "<<password>>" -b "<<SearchBase>>" -s sub $fltr $attrList

 

But getting Error as:

ldap_start_tls: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).

 

It looks like the issue is related to missing certificate.

Please suggest on the same.

Labels (3)
0 Likes
9 Replies
Micro Focus Expert
Micro Focus Expert

Re: ldap_start_tls: Connect error (-11)

You need to setup the trust store used by ldapsearch to include the root CA certificate for the server you are connecting to.

See man ldap.conf for the TLS_* options.

--
Norbert
0 Likes
mudit_gupta Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi Norbert,

Thank you for the suggestion.

Are you suggesting that I should create CA cert from iManager and should put the same in the Java truststore path or some other path.
Please correct me if I am wrong or kindly suggest if I need to do something else.

Thanks
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_start_tls: Connect error (-11)

The appropriate way would be to follow Norbert's suggestion. As a quickshot (e.g. in a lab environment) you'll likely succeed by placing

TLS_REQCERT allow

in your ldap.conf.

 

mudit_gupta Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi Mathias,

Thank you for the suggestion,
Under the path: /etc/openldap/ldap.conf I can see:

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#TLS_REQCERT allow

So I have removed the hash in front of TLS_REQCERT and make it:
TLS_REQCERT allow

But still I am getting the same error. Can you please suggest.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_start_tls: Connect error (-11)

Do you really see this one?

additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).

What exactly do you specify with the "-H" parameter? If you would have something like "ldaps://xx.xx.xx.xx:636" it would likely fail in conjunction with the "-ZZ" statement as SSL and STARTTLS wouldn't work together.

You can also try

TLS_REQCERT never

and

TLS_CHECKPEER no

Which OS are you running?

 

0 Likes
mudit_gupta Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi Mathias,

Here's the command that I have tried to run and gets error:

Command 1:

ldapsearch -x -H "ldaps://<<Hostname>>:636" -D "<<Bind DN>>" -w "<<Password>>" -b "<<Search base>>" -s sub DN

Getting Error as:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Command 2:

ldapsearch -x -ZZ -h "<<Host IP>>" -D "<<Bind DN>>" -w "<<Password>>" -b "<<Search base>>" -s sub DN

Getting error as:
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

I have also tried :

TLS_REQCERT never and TLS_CHECKPEER no  but still got the same issue

 

OS: Red Hat Enterprise Linux Server release 7.4 (Maipo)

 

Can you kindly suggest for the same.

 

 

Tags (1)
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: ldap_start_tls: Connect error (-11)

See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-shared-system-certificates for how to manage trusted certicates in RHEL.

Also check if the hostname you are connecting to matches the one in the server certificate. Add a "-d 1" to your ldapsearch call.

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap_start_tls: Connect error (-11)

Is eDir running on the same box you're running the ldapseach command from?

While i don't work too much much with RedHat  i remember an issue (years ago) where settings such as TLS_REQCERT were simply ignored if the cert paths didn't exist. So you might want to check from a box with a different OS.

I've also seen an instance were the "searching" user didn't have rights to read ldap.conf (which should be world-readable but wasn't in this case.

You can always specify variables on the command line such as

LDAPTLS_REQCERT=never ldapsearch -x -ZZ -H ldap://10.xx........

Note the preceeding "LDAP" which makes the configfile variable "TLS_REQCERT" become "LDAPTLS_REQCERT" on the command line.

 

 

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: ldap_start_tls: Connect error (-11)

Add '-d 5' to your ldapsearch command and report back with the full output.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.