On Mar 20, 2012, at 3:51 PM, Jon Dufresne wrote: > Hi, > > I am using OpenLDAP as a client to connect to a 3rd party Oracle > Internet Directory 10g. > > After recent updates, I have been unable to successfully bind with the > LDAP server. I believe this is an error with the SSL handshake because > the following command will not negotiate an SSL protocol: > > $ openssl s_client -connect HOST:636 > ... > Failure > > While adding the -no_tls1 flag will: > > $ openssl s_client -connect HOST:636 -no_tls1 > ... > Success > > When I attempt to connect to the server using ldapsearch, I receive the > following: > > $ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BIND_DN" -W > ldap_url_parse_ext(ldaps://HOST:636) > ldap_create > ldap_url_parse_ext(ldaps://HOST:636/??base) > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP HOST:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying HOST_IP:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > TLS: could not add the certificate (null) - error -8018:Unknown PKCS #11 > error.. > TLS: /etc/openldap/cacerts/addtrust-ca.crt is not a valid CA certificate > file - error -8018:Unknown PKCS #11 error.. > TLS: could perform TLS system initialization. > TLS: error: could not initialize moznss security context - error > -8018:Unknown PKCS #11 error. > TLS: can't create ssl handle. > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > TLS: could not shutdown NSS - error -8053:NSS could not shutdown. > Objects are still in use.. > > > Is there a way, either through the ldap.conf, an environment variable, > or through the API, to ignore the TLS portion of the handshake? Am I > mistaken and something else is wrong here? ---- with deference to the obvious security implications, does adding TLS_REQCERT allow to ldap.conf help?
Craig
