LDAP TLS Connection Success but server faid

by Axel Gocan   Last Updated July 12, 2019 13:00 PM - source

I have some problem with LDAP over SSL. I generate certificates for server and cient. There are verify wit hno problem:

openssl s_client -connect odps03:636 -showcerts -state -CAfile /etc/ssl/certs/cacert.pem
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=1 CN = Example Comapny
verify return:1
depth=0 CN = odps03, O = Example Comapny
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS write finished
SSL_connect:SSLv3/TLS read change cipher spec
SSL_connect:SSLv3/TLS read finished
---
Certificate chain
 0 s:CN = odps03, O = Example Comapny
   i:CN = Example Comapny
-----BEGIN CERTIFICATE-----
MIIDZDCCAcygAwIBAgIMXSR3ljZZEpjKqMTvMA0GCSqGSIb3DQEBCwUAMC8xLTAr
BgNVBAMTJFBHTmlHIE9EIE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjAeFw0x
OTA3MDkxMTE2MzhaFw0yMDA3MDgxMTE2MzhaMD0xDzANBgNVBAMTBm9kcHMwMzEq
MCgGA1UEChMhUEdOaUcgT2Jyb3QgRGV0YWxpY3pueSBTcC4geiBvLm8uMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/WXWNYXoTjwU5ZkNo9wjWf0OqdlkB0fat
mlX3dx167mDPRI0yF5wIjh7uj1L6DTcjVTL8+p7EYS0Bf98AumTZVVBj7k9U2QZO
zeFThoc+SmabLqd92o3nrzBOwyEigBV18MZGr3IfmUgbRy6VseqU67a9BBhcl0+3
uGmXm1P0sQIDAQABo3YwdDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFC2dY36t5OaMfplyaljU8asy
qxupMB8GA1UdIwQYMBaAFHKlhTlGegvaf5tc7ierwq2cQDXlMA0GCSqGSIb3DQEB
CwUAA4IBgQAMdXt0aeLt6KwTAsWCre855+4aS26W67Dv27jXlKpyyTR+xAS567AO
wUXoPwVDAZ+XYgmO5h8guGQcfUI9imIpPCJUQJKSu6Fsz3/hSx+w5PnK9Tk3HMMs
ZeW4WLP1n7bOp8rJS7a3pQcW3yFzpffyq5LH4MP5dAEsKEaivyaOAEfuWJ348dRo
uqpPY4FcNlLc1HYIxfixwtf8XohdkRgEIrDi/QmPGfYsm76K3eFBPIHRtFhvBnmP
kRWGxeoInUgcWgns/G/WDwB2y3Fw5zcf0KYVdDvBFagBEAFc8JAJTyAYDVputX1I
KnsUXRY5/PqXflwWQnfb8kuRcxpOHtEtQN49gPpigmH+zpt7vN2UM0skaa0Fou88
X6i/kGVU8XPxEWLdP91HGjKVlw7cxADfj+O8CMAmjxqDOxInkX4uFXJHoxBHb9LQ
8O+C4WhGTvt66VQDxOXZ+wVCrS2TK0Ug8xKmaTpBQAhlCcNWMWoyW7EorbFxJedo
KrsPfZiWmHU=
-----END CERTIFICATE-----
 1 s:CN = Example Comapny
   i:CN = Example Comapny
-----BEGIN CERTIFICATE-----
MIIEJzCCAo+gAwIBAgIMW/Z8+RnPzxfpb3SDMA0GCSqGSIb3DQEBCwUAMC8xLTAr
BgNVBAMTJFBHTmlHIE9EIE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjAeFw0x
ODExMjIwOTU1MDVaFw0xOTExMjIwOTU1MDVaMC8xLTArBgNVBAMTJFBHTmlHIE9E
IE9icm90IERldGFsaWN6bnkgU3AuIHogby5vLjCCAaIwDQYJKoZIhvcNAQEBBQAD
ggGPADCCAYoCggGBANypN6Uq9ol8MULj0ErS1Pii8/GLTUcjXJW6zaS/VTl7dUiG
dl+am2IQSozVIIfnvtoSrCIjebQm2PcW82Cprq9vz7p4rivHO2HQ3WjvSDmXBI1G
7tFe4xnrZYOscvoaf4IRc0okOQgI8h2B9rJWyppB6qFW55QRUStvhrW7EgVqWrWF
5NCtBMG2ThjO3nXOWbv8ApXklp3lW/JU1yf7H+XvHgjLs48QUyrsFElCS+Ve0Kve
lSYaZccqhGbLGROTPO02boiIoT7kfMPykjV/h9B9oxAUw4lP1degk74k/MVML68U
OBbY8uaO6SktxvLVQhmnk/u7jmF2qdMNy7H0magjEies/ctqd+QV7OP3rUxpAQsO
K/PtWqtqiSt/ppeMbAvSzR5wsv1W0z1rW/EZHzaNKU5XkWfhJ9apeCRRR3niExk/
d57F1PofgK5ZsV6TOx9kfdVBlVtxroRoKEa7fCTKFq5XtX617W7sbuE3LpUtsdcN
ifYJ1RU/Ta2/SGQWOQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB
/wQFAwMHBAAwHQYDVR0OBBYEFHKlhTlGegvaf5tc7ierwq2cQDXlMA0GCSqGSIb3
DQEBCwUAA4IBgQBy0fuBros12hM/16tlyqMXWQp9yeZ7rBCVXR1Rr9NVhLOK2Pny
29LHrcXMxcWTtgqrmmozgxLPZ0rNwNQtBO3KF1plKHjD9HkQbVK26ghW0+oKb7qA
TlWvF3bqmbQg2zaECaFGkadWuNKwgbdUi3JuIsL7Zy0JJp6a2P/wqzjV2io06vqB
5yWVoiyMvakR7qKyz8VKmFobmWfHrzvXW6Igl4x9KUZCn8SbcmX7wbNqTHEt7I04
jbjkH+/PusIifi581N26Od7mW1gq37nKJl5J1Rm5IgrwRS14nzSnX7oOyUwIad67
GkE0AhHTi2FHqKru0GyH9XIPFdWt0oY3mqdJxnVJQ+m6woyNu48kV5UeIMbqZoJ3
Qzgo+XAjqMtulh7tJnyQ6NkebRpAcbQNJAl/ojIeK6wQtxh7SLrLE6dV8052Hwhz
FuxcECpGMosPyrARDplgMQWpa0iL9cgMI2nZCDDXtevqDQHIKNYOeMabRaLY0pyn
B0L3Zy0ccHc4u7o=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = odps03, O = Example Comapny

issuer=CN = Example Comapny

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2323 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F2623A750CED893A63D3342B002F4AD963198DCA19BFC9740E0C4B6FD473BAE8
    Session-ID-ctx: 
    Master-Key: B86C77D94565AC82396FAB12648AC5ACF4A0F707506C09DD7D8EE7A7D8ED61870E33E0C858A43DFCB219F78FEB388D9D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1562933947
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

But when I try connect usin ldapsearch i get a specify error:

ldapsearch -Z -H "ldaps://odps03:636" -D "cn=admin,dc=od,dc=pgnig,dc=pl" -d-1 "givenName=*"
ldap_url_parse_ext(ldaps://odps03:636)
ldap_create
ldap_url_parse_ext(ldaps://odps03:636/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP odps03:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.66.64.11:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I look ant try many way to resolve issue and nothing what google shows don't work.



Related Questions


Getting error when Integrating LDAP with Wordpress

Updated December 17, 2018 16:00 PM


DB_NOTFOUND: No matching key/data pair found (-30988)

Updated December 23, 2017 19:00 PM


how to join centos 7 to samba domain?

Updated April 30, 2018 06:00 AM