Bootstrap FreeKB - OpenLDAP - Resolve "TLS negotiation failure"
OpenLDAP - Resolve "TLS negotiation failure"

Updated:   |  OpenLDAP articles

This error appears in the logs on the OpenLDAP server.

closed (TLS negotiation failure)

 

This error occurs when a client attempts to make a TLS encrypted connection to the OpenLDAP server. An error will probably also appear on the client.

~]# ldapwhoami -H ldap://ldap.example.com -x -ZZ
ldap_start_tls: Connect error (-11)
   additional info: TLS error -5938:Encountered end of file

 


OpenLDAP Server Setup

Ensure OpenSSL can read the CA file, and ensure the CN in the rootCA.pem file is the hostname of your server, such as ldap.example.com.

openssl s_client -connect localhost:389 -showcerts -state -CAfile /etc/openldap/certs/rootCA.pem

 

Ensure the root CA, certificate, and private key reside in the /etc/openldap/certs directory.

/etc/openldap/certs/rootCA.pem
/etc/openldap/certs/example.crt
/etc/openldap/certs/example.key

 

Ensure the root CA, certificate, and private key owner and group is ldap:ldap.

~]# ll /etc/openldap/certs/
-rw-r--r-- ldap:ldap rootCA.pem
-rw-r--r-- ldap:ldap example.crt
-rw-r--r-- ldap:ldap example.key

 

Ensure the /etc/openldap/slapd.d/cn=config.ldif file contains the following.

olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem
olcTLSCertificateFile: /etc/openldap/certs/example.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key

 

Ensure LDAP port 389 is open in iptables or firewalld

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart slapd.

systemctl restart slapd

 

If your system is using init, use the service command to restart slapd.

service slapd restart

 


OpenLDAP Client Setup

Ensure the rootCA.pem file has been copied from the OpenLDAP server to the /etc/ldap directory on the client.

~]# scp root@openldap:/etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/

 

Ensure LDAP authentication via TLS has been enabled.

~]# authconfig --test | grep -i ldap
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap.example.com"
 LDAP base DN = "dc=example,dc=com"

 

Ensure LDAP port 389 is open in iptables or firewalld

Ensure the /etc/openldap/ldap.conf has the following.

URI ldap://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT try

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter decd38 in the box below so that we can be sure you are a human.