ssl connection from an openLDAP client to an IBM LDAP

Question

I've got problems connecting secure (SSL) to an IBM LDAP server using an openLDAP client.

A connection like the following, which is not using SSL works fine:

ldapsearch -h <LDAP server host name> -D <bind dn> -w ? -b <base dn> <filter>

But when I add the -Z option to use a secure LDAP connection (SSL) like shown in the following ldapsearch an error occours:

ldapsearch -h <LDAP server host name> -Z -D <bind dn> -w ? -b <base dn> <filter>

The error says:

ldap_simple_bind: Can't contact LDAP server
Attempted communication over SSL.
  The extended error is 116.

Here I found out that I have to add ssl start_tls to the clients configuration file (ldap.conf) to enable SSL in openLDAP: http://www.openldap.org/faq/data/cache/185.html

After reading the description above I'm not sure if the author is dealing with an openLDAP client and an openLDAP server and if this is the only change that have to be made to make the connection work.

Does anybody here know if it is possible to connect from an openLDAP client to an IBM LDAP server using an SSL connection?

Does anybody have experience with this topic?

Thanks a lot!

Answer 1

As far as I know, OpenSSL no longer provides CA signer certificates in its trust store (i.e., CA cert file). Therefore, you will have to configure OpenLDAP's ldapsearch through the file .ldaprc or ldap.conf to specify the location of the trust store that has the signer certificates for your LDAP server. Something like this:

TLS_CACERT /usr/ssl/certs/my.ldapserver.certs.pem
# TLS_CACERTDIR /usr/ssl/certs/
TLS_REQCERT never|allow||try|demand|hard

See

http://www.openldap.org/software/man.cgi?query=ldap.conf&format=html

http://www.openldap.org/faq/data/cache/185.html

for more details.

Answer 2

IBM's website has a discussion of this error.

A number of possibilities, mostly server side, about keys not being in the keystore, expired, or not using port 636. So you can look at this and see if it helps you.