ldapsearch fails if no CA certificate is available

Solution Unverified - Updated -

Issue

  • With latest openldap (RHEL6.1) ldapsearch or similar tools fails to contact ldap server if there are no certificates in /etc/openldap/cacerts directory.
  • ldapsearch fails if cacertdir (TLS_CACERTDIR) directory doesn't contain any CA certs,directory does not exist etc, even if 'TLS_REQCERT' is set to "never".

The same command works well in the previous version(s) of openldap (openldap-2.4.19-15.el6_0.2 or older) if the option "LDAPTLS_REQCERT never" mentioned in /etc/openldap/ldap.conf file.

# LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://hostname:port -s base -b ""
ldap_connect_to_host: Trying 10.65.210.164:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: did not find any valid CA certificates in /etc/openldap/cacerts
TLS: could not initialize moznss using security dir /etc/openldap/cacerts
prefix  - error -8174.
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5939:No more
entries in the directory
TLS: can't create ssl handle.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Environment

  • Red Hat Enterprise Linux 6.1
  • openldap-2.4.23-15.el6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In