Re: ldapsearch over SSL can not bind

[Howard Chu <hyc@symas.com>]

Dieter Klünter wrote:
> Am Mon, 2 Nov 2015 17:28:06 +0100
> schrieb Matthias Apitz <guru@unixarea.de>:
>
> > Hello,
> >
> > I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
> > with the following command:
> >
> > $ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D
> [...]
>
> Quite obvious, you initiated startTLS AND ldaps. To my knowledge,
> edirectory does not support startTLS, so just omit -Z.

No, that's not the problem. Note that with a single -Z, ldapsearch will 
proceed even if the server doesn't support startTLS.

The problem here is that he hasn't configured the local LDAP clients to trust 
the remote server's certificates.

> $ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX
> ldap_start_tls: Can't contact LDAP server (-1)
> 	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

The error message is quite explicit - "certificate verify failed" - this 
obviously means that it started a TLS handshake, which obviously makes your 
focus on -Z completely off base.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/