ldapsearch Fails to Connect With LDAP Server With "TLS already started" Error
Environment
- Red Hat Enterprise Linux (All Versions)
- Lightweight Directory Access Protocol (LDAP)
- ldapsearch command
- Transport Layer Security (TLS) encrypted LDAP
Issue
-
Failing to connect with error:
[root@host ~] ldapsearch -LL -v -x -W -D "cn=admin,dc=example,dc=com" -H ldaps://localhost -ZZ "(objectclass=*)" ldap_initialize( ldaps://localhost:636/??base ) ldap_start_tls: Operations error (1) additional info: TLS already started
Resolution
ldapsearch should not be initiated with ldaps and start_tls both, Use either -ZZ or use ldaps://fqdn.of.server
-
Try secure ldap (ldaps://)
$ ldapsearch -x -H ldaps://fqdn -b "dc=example,dc=com" -
or start TLS
$ ldapsearch -x -ZZ -h ldap://fqdn -b "dc=example,dc=com"
Root Cause
-
STARTTLS and SSL connections cannot be used at the same time.
-
STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. It is defined in http://tools.ietf.org/html/rfc2830
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments