FreeKB - OpenLDAP Resolve "TLS negotiation failure"
OpenLDAP - Resolve "TLS negotiation failure"

This error appears in the logs on the OpenLDAP server.

closed (TLS negotiation failure)


This error occurs when a client attempts to make a TLS encrypted connection to the OpenLDAP server. An error will probably also appear on the client.

~]# ldapwhoami -H ldap:// -x -ZZ
ldap_start_tls: Connect error (-11)
   additional info: TLS error -5938:Encountered end of file


OpenLDAP Server Setup

Ensure OpenSSL can read the CA file, and ensure the CN in the rootCA.pem file is the hostname of your server, such as

openssl s_client -connect localhost:389 -showcerts -state -CAfile /etc/openldap/certs/rootCA.pem


Ensure the root CA, certificate, and private key reside in the /etc/openldap/certs directory.



Ensure the root CA, certificate, and private key owner and group is ldap:ldap.

~]# ll /etc/openldap/certs/
-rw-r--r-- ldap:ldap rootCA.pem
-rw-r--r-- ldap:ldap example.crt
-rw-r--r-- ldap:ldap example.key


Ensure the /etc/openldap/slapd.d/cn=config.ldif file contains the following.

olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem
olcTLSCertificateFile: /etc/openldap/certs/example.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key


Ensure LDAP port 389 is open in iptables or firewalld

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart slapd.

systemctl restart slapd


If your system is using init, use the service command to restart slapd.

service slapd restart


OpenLDAP Client Setup

Ensure the rootCA.pem file has been copied from the OpenLDAP server to the /etc/ldap directory on the client.

~]# scp root@openldap:/etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/


Ensure LDAP authentication via TLS has been enabled.

~]# authconfig --test | grep -i ldap
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = ""
 LDAP base DN = "dc=example,dc=com"


Ensure LDAP port 389 is open in iptables or firewalld

Ensure the /etc/openldap/ldap.conf has the following.

URI ldap://
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter d933a in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |