Fedora 16 ldapsearch client via ssl won't work
 

I have installed Fedora 16 and yummed openldap client (ldapsearch version 2.4.26). The ldapsearch won't work for ssl, and I'm thinking that I must be missing something.

So:
This works:
ldapsearch -x -H ldap://xxxx:389 -b 'ou=xxx,dc=xxx,dc=gxxxov' "(& (givenName=firstname)(sn=lastname))"

but this:
ldapsearch -x -H ldaps://xxxx:636 -b 'ou=xxx,dc=xxx,dc=gxxxov' "(& (givenName=firstname)(sn=lastname))"

Returns ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I have an older server running Fedora 11 (ldapsearch version 2.4.15) where this works fine.

The directory server has a trusted cert, and it is not a firewall problem. Further, the newer server is running a java process (Liferay portal) that is authenticating to this very same directory over ssl.

SELinux is disabled.

What am I missing?
Thanks,
Dave

can you telnet to host on port 636?

telnet hostname_or_IP 636


maybe iptables is in the way? Also check the server is listening on port 636, maybe its on a non-standard port?


netstat -natpud | grep 636

I have an older server that has no problem authenticating to the directory. Telnet to 636 yes. I'm wondering if when installing Fedora 16 from media, did it install the necessary CA certs for apache? Has that part of installation changed?

Perhaps I should post this in an apache or openldap group? More related to openldap and apache than Fedora 16 perhaps.

If you really are reaching the port, I would look at the SSL conversation occurring using Wireshark.

I have found the solution. To ldap.conf file, add this:
TLS_CACERT /etc/pki/tls/cert.pem

Fedora 16 installer ootb put that cert.pem there for me. I just needed to show openldap the way. Interesting that my older server running Fedora 11 doesn't have this entry in ldap.conf. Strange.

Happily my Apache authenticating to this directory also started working with this change, so I'm doubly happy, and earned myself an extra gin gimlet tonight!