ldapsearch fails if no CA certificate is available

Solution Unverified - Updated -

Issue

  • With latest openldap (RHEL6.1) ldapsearch or similar tools fails to contact ldap server if there are no certificates in /etc/openldap/cacerts directory.
  • ldapsearch fails if cacertdir (TLS_CACERTDIR) directory doesn't contain any CA certs,directory does not exist etc, even if 'TLS_REQCERT' is set to "never".

The same command works well in the previous version(s) of openldap (openldap-2.4.19-15.el6_0.2 or older) if the option "LDAPTLS_REQCERT never" mentioned in /etc/openldap/ldap.conf file.

# LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://hostname:port -s base -b ""
ldap_connect_to_host: Trying 10.65.210.164:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: did not find any valid CA certificates in /etc/openldap/cacerts
TLS: could not initialize moznss using security dir /etc/openldap/cacerts
prefix  - error -8174.
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5939:No more
entries in the directory
TLS: can't create ssl handle.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Environment

  • Red Hat Enterprise Linux 6.1
  • openldap-2.4.23-15.el6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content