Highlighted
Trusted Contributor.
Trusted Contributor.
1071 views

ldap_start_tls: Connect error (-11)

Hi All,

I am currently using ldapsearch command that is not secure (or using a non-secure port). Here’s the format of ldapsearch which I am using (and it's currently working):

ldapsearch -x -h $ldapHostname -D $userName -w $pswd -b $srchBase -s sub $fltr $attrList

 

But I am not able to run ldapsearch securely. For ex, below is the format which is the format which I am trying to run:

ldapsearch -x -ZZ -h "<<LDAPHostName>>" -D "<<BindDN>>" -w "<<Password>>" -b "<<SearchBase>>" -s sub $fltr $attrList

But getting below error for the same:

ldap_start_tls: Connect error (-11)

        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

Or:

ldapsearch -x -ZZ -H "<<LDAPHostName:Portnumber>>" -D "<<BindDN>>" -w "<<password>>" -b "<<SearchBase>>" -s sub $fltr $attrList

 

But getting Error as:

ldap_start_tls: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).

 

It looks like the issue is related to missing certificate.

Please suggest on the same.

Labels (3)
0 Likes
14 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ldap_start_tls: Connect error (-11)

You need to setup the trust store used by ldapsearch to include the root CA certificate for the server you are connecting to.

See man ldap.conf for the TLS_* options.

--
Norbert
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi Norbert,

Thank you for the suggestion.

Are you suggesting that I should create CA cert from iManager and should put the same in the Java truststore path or some other path.
Please correct me if I am wrong or kindly suggest if I need to do something else.

Thanks
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap_start_tls: Connect error (-11)

The appropriate way would be to follow Norbert's suggestion. As a quickshot (e.g. in a lab environment) you'll likely succeed by placing

TLS_REQCERT allow

in your ldap.conf.

 

Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi Mathias,

Thank you for the suggestion,
Under the path: /etc/openldap/ldap.conf I can see:

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#TLS_REQCERT allow

So I have removed the hash in front of TLS_REQCERT and make it:
TLS_REQCERT allow

But still I am getting the same error. Can you please suggest.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap_start_tls: Connect error (-11)

Do you really see this one?

additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).

What exactly do you specify with the "-H" parameter? If you would have something like "ldaps://xx.xx.xx.xx:636" it would likely fail in conjunction with the "-ZZ" statement as SSL and STARTTLS wouldn't work together.

You can also try

TLS_REQCERT never

and

TLS_CHECKPEER no

Which OS are you running?

 

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi Mathias,

Here's the command that I have tried to run and gets error:

Command 1:

ldapsearch -x -H "ldaps://<<Hostname>>:636" -D "<<Bind DN>>" -w "<<Password>>" -b "<<Search base>>" -s sub DN

Getting Error as:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Command 2:

ldapsearch -x -ZZ -h "<<Host IP>>" -D "<<Bind DN>>" -w "<<Password>>" -b "<<Search base>>" -s sub DN

Getting error as:
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)

I have also tried :

TLS_REQCERT never and TLS_CHECKPEER no  but still got the same issue

 

OS: Red Hat Enterprise Linux Server release 7.4 (Maipo)

 

Can you kindly suggest for the same.

 

 

Tags (1)
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ldap_start_tls: Connect error (-11)

See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-shared-system-certificates for how to manage trusted certicates in RHEL.

Also check if the hostname you are connecting to matches the one in the server certificate. Add a "-d 1" to your ldapsearch call.

--
Norbert
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap_start_tls: Connect error (-11)

Is eDir running on the same box you're running the ldapseach command from?

While i don't work too much much with RedHat  i remember an issue (years ago) where settings such as TLS_REQCERT were simply ignored if the cert paths didn't exist. So you might want to check from a box with a different OS.

I've also seen an instance were the "searching" user didn't have rights to read ldap.conf (which should be world-readable but wasn't in this case.

You can always specify variables on the command line such as

LDAPTLS_REQCERT=never ldapsearch -x -ZZ -H ldap://10.xx........

Note the preceeding "LDAP" which makes the configfile variable "TLS_REQCERT" become "LDAPTLS_REQCERT" on the command line.

 

 

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: ldap_start_tls: Connect error (-11)

Add '-d 5' to your ldapsearch command and report back with the full output.

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ldap_start_tls: Connect error (-11)

Hi John,

 

Sorry for the late reply. Here's the output:

ldapsearch -x -d 5 -ZZ -h "$ldapHostname" -D "cn=SVCDSCRIPT,ou=services,o=vale" -b "$srchBase" -w $pswd -s sub DN
ldap_create
ldap_url_parse_ext(ldap://10.**.**.21)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.**.**.21:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.**.**.21:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0xd19560 msgid 1
wait4msg ld 0xd19560 msgid 1 (infinite timeout)
wait4msg continue ld 0xd19560 msgid 1 all 1
** ld 0xd19560 Connections:
* host: 10.**.**.21 port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 31 03:06:01 2020


** ld 0xd19560 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0xd19560 request count 1 (abandoned 0)
** ld 0xd19560 Response Queue:
Empty
ld 0xd19560 response count 0
ldap_chkResponseList ld 0xd19560 msgid 1 all 1
ldap_chkResponseList returns ld 0xd19560 NULL
ldap_int_select
read1msg: ld 0xd19560 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0xd19560 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xd19560 0 new referrals
read1msg: mark request completed, ld 0xd19560 msgid 1
request done: ld 0xd19560 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 2, subject: /OU=Organizational CA/O=IDV-IAM-DEV, issuer: /O=NICI Licensed CA/CN=NICI Machine-Unique CA 11FFAD9D-6CD8DEF0B269084E6A2365D92539F144
TLS certificate verification: Error, unable to get issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

 

Can you please suggest on the same.

 

Regards,

Mudit Gupta

 

 

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: ldap_start_tls: Connect error (-11)

Provide the full output of "which ldapsearch". Try running the ldapsearch command like this: /usr/bin/ldapsearch ...

If the "which" command returns the novell binary, that would explain why the change made to the /etc/openldap/ldap.conf file did nothing. 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.