Hello All,

I have a openldap server installation. While querying with ldaps it fails.

ldapsearch -d 1 -v -H ldaps://localhost

Following is the output:
ldap_url_parse_ext(ldaps://localhost)
ldap_initialize( ldaps://localhost:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/pki/tls/certs/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/pki/tls/certs/', error -8018:Unknown PKCS #11 error.
TLS: skipping .......crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping ......
TLS: skipping ......
TLS: loaded CA certificate file /etc/pki/tls/certs//a94d09e5.0 from CA certificate directory /etc/pki/tls/certs/.
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS error -5938:Encountered end of file

If queried without verbose then:
ldapsearch -H ldaps://localhost
Following is the output:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: TLS error -5938:Encountered end of file

I would request for an urgent help please.

First, this is a volunteer forum. Asking for/expecting 'urgent' help is fairly rude. Secondly, you don't provide any details past the error message you posted...such as version/distro of Linux, has this EVER worked, is this a new problem, did you just upgrade, etc.

Had you tried putting the error into Google (since you need "an urgent help"), you'd see suggestions. What are the permissions/ownership on the cert files/keys/directories? Is LDAP actually RUNNING??? Did you verify the service started???

Thank you TB0ne for your response.

It is RHEL6. I did try google first before putting the post and gone through atleast 20-25 links. I would have kept on trying google but now it is just repeating similar steps that I have already tried. Permissions are implemented as per documentation available online. To make sure permission isn't the issue, I tried full permission but it still failed with below error. LDAP is running. Also, if I do ldapsearch on LDAP://localhost, it works fine.

Sorry, but I find a LOT that references your specific error, and most all of them indicate either a permissions error, or an error in the certificate.
..and 'full permission' is a bad thing WHEN YOU ARE DEALING WITH A SECURITY CERTIFICATE. Things tend to break when you do that...again, you were asked what the permissions were on that file/directory, but don't post them.
...which takes us back to "bad permissions or bad certificate", which is exactly what the error you posted says. Did you follow the RHEL 6 LDAP installation guide, which tells you how to do this? Since you're using RHEL, you have access to support...you are PAYING FOR RHEL, RIGHT???

You did see the part about SSL *NOT* being used on RHEL 6 LDAP, RIGHT???
https://access.redhat.com/documentat...y_Servers.html

I suggest you contact Red Hat support and ask for assistance.