>>> <[email protected]> schrieb am 05.10.2020 um 03:22 in Nachricht <[email protected]>: > Hi - I'm using osixia/openldap docker container. > > I've created self signed client and server certs. > > I'm receiving the following error when trying to perform ldapsearch from the > Arch linux docker host. Here is a summary of the error: > > # ldapsearch -x -d1 -b 'dc=ldap,dc=gohilton,dc=com' -D > "cn=admin,dc=ldap,dc=gohilton,dc=com" -H ldaps://127.0.0.1:636 -W -LLL d
I wonder: How should an SSL certificate for localhost (127.0.0.1) look like? I would not recommend either to include "localhost" or "IP:127.0.0.1" to the certificate, meaning: Does it work when you connect using the official IP address from a remote host? > ldap_url_parse_ext(ldaps://127.0.0.1:636) > ldap_create > ldap_url_parse_ext(ldaps://127.0.0.1:636/??base) > Enter LDAP Password: > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP 127.0.0.1:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 127.0.0.1:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect success > TLS trace: SSL_connect:before SSL initialization > TLS trace: SSL_connect:SSLv3/TLS write client hello > TLS trace: SSL_connect:SSLv3/TLS write client hello > TLS trace: SSL_connect:SSLv3/TLS read server hello > TLS certificate verification: depth: 0, err: 0, subject: > /C=US/ST=IL/L=CH/O=domain.com/CN=openldap/[email protected], > issuer: /C=US/ST=IL/L=CH/O=domain.com/CN=Docker OpenLDAP > CA/[email protected] > TLS trace: SSL_connect:SSLv3/TLS read server certificate > TLS trace: SSL_connect:SSLv3/TLS read server key exchange > TLS trace: SSL_connect:SSLv3/TLS read server certificate request > TLS trace: SSL_connect:SSLv3/TLS read server done > TLS trace: SSL_connect:SSLv3/TLS write client certificate > TLS trace: SSL_connect:SSLv3/TLS write client key exchange > TLS trace: SSL_connect:SSLv3/TLS write change cipher spec > TLS trace: SSL_connect:SSLv3/TLS write finished > TLS trace: SSL_connect:error in SSLv3/TLS write finished > TLS: can't connect: . > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > The server logs the error as the following: > f7a7260 conn=1007 fd=12 ACCEPT from IP=172.18.0.1:34350 (IP=0.0.0.0:636) > TLS: can't accept: No certificate was found.. > 5f7a7260 conn=1007 fd=12 closed (TLS negotiation failure) > > This error only occurs if on the server I use the following server setting: > LDAP_TLS_VERIFY_CLIENT=try > > Is this possibly a permissions issue? I've verified the chain of trust for > client certificate upon creation. Both client and server certificates were > signed with same user created CA.
