Why ldapsearch fails to connect with LDAP server with a "TLS already started" message?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux (All Versions)

Issue

  • ldapsearch command is failing to connect to LDAP server with below error.
[root@host ~] ldapsearch -LL -v -x -W -D "cn=admin,dc=example,dc=com" -H ldaps://localhost -ZZ "(objectclass=*)"
ldap_initialize( ldaps://localhost:636/??base )
ldap_start_tls: Operations error (1)
    additional info: TLS already started

Resolution

  • ldapsearch should not be initiated with ldaps and start_tls both, Use either -ZZ or use ldaps://fqdn.of.server

  • STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. It is defined in http://tools.ietf.org/html/rfc2830

Try SSL

# ldapsearch -x -H ldaps://fqdn -b "dc=example,dc=com"

or TLS

# ldapsearch -x -ZZ -h ldap://fqdn -b "dc=example,dc=com"

Root Cause

STARTTLS and SSL connections cannot be used at the same time.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.