Hi Howard
Thanks very much for the reply and the suggestion. Here is the output of a
ldapsearch command that completes successfully when I omit '-H
ldaps://ldpdd042.hop.lab.emc.com:636':
ldpdd042:~ # ldapsearch -d -1 -x -b 'dc=example,dc=com' '(objectclass=*)' -H
ldaps://ldpdd042.hop.lab.emc.com:636
ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldpdd042.hop.lab.emc.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.247.229.42:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=334, written=334
0000: 16 03 01 01 49 01 00 01 45 03 03 a2 85 24 0b ee ....I...E....$..
0010: 8f 28 13 34 a4 e5 6a c3 48 50 69 d7 81 72 96 02 .(.4..j.HPi..r..
0020: 7b 56 46 6a ec d0 f3 64 71 35 b2 20 fd 17 70 c9 {VFj...dq5. ..p.
0030: 15 23 3d 7c 31 66 99 84 f3 92 4b c7 a9 ab e2 f8 .#=|1f....K.....
0040: 5b b3 42 44 7e 91 f5 4b 9a 5b c9 b1 00 46 13 02 [.BD~..K.[...F..
0050: 13 03 13 01 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b .....,.0.......+
0060: c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 ./...#.'........
0070: 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f .........=.<.5./
0080: 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 ...........k.g.9
0090: 00 33 00 ff 01 00 00 b6 00 00 00 1d 00 1b 00 00 .3..............
00a0: 18 6c 64 70 64 64 30 34 32 2e 68 6f 70 2e 6c 61 .ldpdd042.hop.la
00b0: 62 2e 65 6d 63 2e 63 6f 6d 00 0b 00 04 03 00 01 b.emc.com.......
00c0: 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 ................
00d0: 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00 ..#.............
00e0: 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 0...............
00f0: 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 ................
0100: 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06 ................
0110: 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d ..+............-
0120: 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 49 ea .....3.&.$... I.
0130: 8c 2a c7 1e 18 82 13 d1 46 3d 46 b0 b7 2b bd b2 .*......F=F..+..
0140: 6e 13 ec ab c5 fa 25 4d 4f cc 58 77 78 69 n.....%MO.Xwxi
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=0
TLS trace: SSL_connect:error in SSLv3/TLS write client hello
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldpdd042:~ #
Here's what was written to /var/log/messages:
2023-05-11T16:04:32.584581-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12 ACCEPT
from IP=10.247.229.42:47346 (IP=0.0.0.0:636)
2023-05-11T16:04:32.594205-04:00 ldpdd042 slapd[21376]: connection_get(12)
2023-05-11T16:04:32.594295-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12 closed
(TLS negotiation failure)
I'm using a self-signed server certificate, so no CA should be involved. Not
sure if that is causing the problem?
Thanks!
tl
