ldapsearch fails if no CA certificate is available
Issue
- With latest openldap (RHEL6.1) ldapsearch or similar tools fails to contact ldap server if there are no certificates in /etc/openldap/cacerts directory.
- ldapsearch fails if cacertdir (TLS_CACERTDIR) directory doesn't contain any CA certs,directory does not exist etc, even if 'TLS_REQCERT' is set to "never".
The same command works well in the previous version(s) of openldap (openldap-2.4.19-15.el6_0.2 or older) if the option "LDAPTLS_REQCERT never" mentioned in /etc/openldap/ldap.conf file.
# LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://hostname:port -s base -b ""
ldap_connect_to_host: Trying 10.65.210.164:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: did not find any valid CA certificates in /etc/openldap/cacerts
TLS: could not initialize moznss using security dir /etc/openldap/cacerts
prefix - error -8174.
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5939:No more
entries in the directory
TLS: can't create ssl handle.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Environment
- Red Hat Enterprise Linux 6.1
- openldap-2.4.23-15.el6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
