Resolve "TLS negotiation failure" with OpenLDAP

Home > Search
  by

This error appears in the logs on the OpenLDAP server.

closed (TLS negotiation failure)

 

This error occurs when a client attempts to make a TLS encrypted connection to the OpenLDAP server. An error will probably also appear on the client.

~]# ldapwhoami -H ldap://ldap.example.com -x -ZZ
ldap_start_tls: Connect error (-11)
   additional info: TLS error -5938:Encountered end of file

 


OpenLDAP Server Setup

Ensure OpenSSL can read the CA file, and ensure the CN in the rootCA.pem file is the hostname of your server, such as ldap.example.com.

openssl s_client -connect localhost:389 -showcerts -state -CAfile /etc/openldap/certs/rootCA.pem

 

Ensure the root CA, certificate, and private key reside in the /etc/openldap/certs directory.

/etc/openldap/certs/rootCA.pem
/etc/openldap/certs/example.crt
/etc/openldap/certs/example.key

 

Ensure the root CA, certificate, and private key owner and group is ldap:ldap.

~]# ll /etc/openldap/certs/
-rw-r--r-- ldap:ldap rootCA.pem
-rw-r--r-- ldap:ldap example.crt
-rw-r--r-- ldap:ldap example.key

 

Ensure the /etc/openldap/slapd.d/cn=config.ldif file contains the following.

olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem
olcTLSCertificateFile: /etc/openldap/certs/example.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key

 

Ensure LDAP port 389 is open in iptables or firewalld

Restart OpenLDAP.

~]# systemctl restart slapd

 


OpenLDAP Client Setup

Ensure the rootCA.pem file has been copied from the OpenLDAP server to the /etc/ldap directory on the client.

~]# scp root@openldap:/etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/

 

Ensure LDAP authentication via TLS has been enabled.

~]# authconfig --test | grep -i ldap
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap.example.com"
 LDAP base DN = "dc=example,dc=com"

 

Ensure LDAP port 389 is open in iptables or firewalld

Ensure the /etc/openldap/ldap.conf has the following.

URI ldap://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT try

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments