Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a openldap server installation. While querying with ldaps it fails.
ldapsearch -d 1 -v -H ldaps://localhost
Following is the output:
ldap_url_parse_ext(ldaps://localhost)
ldap_initialize( ldaps://localhost:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/pki/tls/certs/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/pki/tls/certs/', error -8018:Unknown PKCS #11 error.
TLS: skipping .......crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping ......
TLS: skipping ......
TLS: loaded CA certificate file /etc/pki/tls/certs//a94d09e5.0 from CA certificate directory /etc/pki/tls/certs/.
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS error -5938:Encountered end of file
If queried without verbose then:
ldapsearch -H ldaps://localhost
Following is the output:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS error -5938:Encountered end of file
Hello All,
I have a openldap server installation. While querying with ldaps it fails.
ldapsearch -d 1 -v -H ldaps://localhost
Following is the output:
ldap_url_parse_ext(ldaps://localhost)
ldap_initialize( ldaps://localhost:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/pki/tls/certs/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/pki/tls/certs/', error -8018:Unknown PKCS #11 error.
TLS: skipping .......crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping ......
TLS: skipping ......
TLS: loaded CA certificate file /etc/pki/tls/certs//a94d09e5.0 from CA certificate directory /etc/pki/tls/certs/.
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS error -5938:Encountered end of file
If queried without verbose then:
ldapsearch -H ldaps://localhost
Following is the output:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS error -5938:Encountered end of file
I would request for an urgent help please.
First, this is a volunteer forum. Asking for/expecting 'urgent' help is fairly rude. Secondly, you don't provide any details past the error message you posted...such as version/distro of Linux, has this EVER worked, is this a new problem, did you just upgrade, etc.
Had you tried putting the error into Google (since you need "an urgent help"), you'd see suggestions. What are the permissions/ownership on the cert files/keys/directories? Is LDAP actually RUNNING??? Did you verify the service started???
It is RHEL6. I did try google first before putting the post and gone through atleast 20-25 links. I would have kept on trying google but now it is just repeating similar steps that I have already tried. Permissions are implemented as per documentation available online. To make sure permission isn't the issue, I tried full permission but it still failed with below error. LDAP is running. Also, if I do ldapsearch on LDAP://localhost, it works fine.
It is RHEL6. I did try google first before putting the post and gone through atleast 20-25 links. I would have kept on trying google but now it is just repeating similar steps that I have already tried.
Sorry, but I find a LOT that references your specific error, and most all of them indicate either a permissions error, or an error in the certificate.
Quote:
Permissions are implemented as per documentation available online. To make sure permission isn't the issue, I tried full permission but it still failed with below error.
..and 'full permission' is a bad thing WHEN YOU ARE DEALING WITH A SECURITY CERTIFICATE. Things tend to break when you do that...again, you were asked what the permissions were on that file/directory, but don't post them.
Quote:
LDAP is running. Also, if I do ldapsearch on LDAP://localhost, it works fine.
...which takes us back to "bad permissions or bad certificate", which is exactly what the error you posted says. Did you follow the RHEL 6 LDAP installation guide, which tells you how to do this? Since you're using RHEL, you have access to support...you are PAYING FOR RHEL, RIGHT???
You did see the part about SSL *NOT* being used on RHEL 6 LDAP, RIGHT???
Quote:
Originally Posted by RHEL Documentation
The OpenLDAP suite in Red Hat Enterprise Linux 6 no longer uses OpenSSL. Instead, it uses the Mozilla implementation of Network Security Services (NSS). OpenLDAP continues to work with existing certificates, keys, and other TLS configuration. For more information on how to configure it to use Mozilla certificate and key database
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.