ldapsearch failing to connect over tls/ssl to a server from a client

ram300188 · 02-03-2020, 02:46 AM

Hi ,

I have installed openldap and trying to do a search on the server using below command.

Command:
ldapsearch -v -h ***.*****.com -p 2636 -b dc=ent,dc=***,dc=***,dc=corp –LLL –s sub -U "(samaccountname=*****)" samaccountname ***-AccountingUnit -D '****' -w '*****' -d-8

Error:
ldap_initialize( ldap://vds.wellsfargo.com:2636 )
ber_dump: buf=0x55b320ec6810 ptr=0x55b320ec6810 end=0x55b320ec6850 len=64
0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ber_dump: buf=0x55b320ec6810 ptr=0x55b320ec6815 end=0x55b320ec6850 len=59
0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9..............
0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass
0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS
0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms
0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ber_get_next failed.
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Please help to resolve this.

I have extracted the certificate using below command
/usr/bin/openssl s_client -showcerts -connect ***.*****.com:2636

and placed it in
/etc/openldap/certs path

TB0ne · 02-03-2020, 06:58 AM

Quote:

Originally Posted by ram300188

Hi ,
I have installed openldap and trying to do a search on the server using below command.

Code:

ldapsearch -v -h ***.*****.com -p 2636 -b dc=ent,dc=***,dc=***,dc=corp –LLL –s sub -U  "(samaccountname=*****)" samaccountname ***-AccountingUnit -D '****' -w '*****' -d-8

Code:

Error:
ldap_initialize( ldap://vds.wellsfargo.com:2636 )
ber_dump: buf=0x55b320ec6810 ptr=0x55b320ec6810 end=0x55b320ec6850 len=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ber_dump: buf=0x55b320ec6810 ptr=0x55b320ec6815 end=0x55b320ec6850 len=59
  0000:  63 39 04 00 0a 01 00 0a  01 00 02 01 00 02 01 00   c9..............
  0010:  01 01 00 87 0b 6f 62 6a  65 63 74 63 6c 61 73 73   .....objectclass
  0020:  30 19 04 17 73 75 70 70  6f 72 74 65 64 53 41 53   0...supportedSAS
  0030:  4c 4d 65 63 68 61 6e 69  73 6d 73                  LMechanisms
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms
ber_get_next failed.
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Please help to resolve this. I have extracted the certificate using below command
/usr/bin/openssl s_client -showcerts -connect ***.*****.com:2636

and placed it in
/etc/openldap/certs path

Read the "Question Guidelines" link in my posting signature. You don't tell us what version/distro of Linux you're using, or give any details about your environment. Further, we are NOT tech-support for you...we are happy to help, but don't tell us to resolve your problems.

Past that, you are specifying the -U flag...is that correct? Can it work without specifying the user? And why, exactly, are you using the name of a well-known major bank in your query?? Seems rather suspicious.