
This error appears in the logs on the OpenLDAP server.
closed (TLS negotiation failure)
This error occurs when a client attempts to make a TLS encrypted connection to the OpenLDAP server. An error will probably also appear on the client.
~]# ldapwhoami -H ldap://ldap.example.com -x -ZZ
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file
OpenLDAP Server Setup
Ensure OpenSSL can read the CA file, and ensure the CN in the rootCA.pem file is the hostname of your server, such as ldap.example.com.
openssl s_client -connect localhost:389 -showcerts -state -CAfile /etc/openldap/certs/rootCA.pem
Ensure the root CA, certificate, and private key reside in the /etc/openldap/certs directory.
/etc/openldap/certs/rootCA.pem
/etc/openldap/certs/example.crt
/etc/openldap/certs/example.key
Ensure the root CA, certificate, and private key owner and group is ldap:ldap.
~]# ll /etc/openldap/certs/
-rw-r--r-- ldap:ldap rootCA.pem
-rw-r--r-- ldap:ldap example.crt
-rw-r--r-- ldap:ldap example.key
Ensure the /etc/openldap/slapd.d/cn=config.ldif file contains the following.
olcTLSCACertificateFile: /etc/openldap/certs/rootCA.pem
olcTLSCertificateFile: /etc/openldap/certs/example.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/example.key
Ensure LDAP port 389 is open in iptables or firewalld.
The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.
If your system is using systemd, use the systemctl command to restart slapd.
systemctl restart slapd
If your system is using init, use the service command to restart slapd.
service slapd restart
OpenLDAP Client Setup
Ensure the rootCA.pem file has been copied from the OpenLDAP server to the /etc/ldap directory on the client.
~]# scp root@openldap:/etc/openldap/certs/rootCA.pem /etc/openldap/cacerts/
Ensure LDAP authentication via TLS has been enabled.
~]# authconfig --test | grep -i ldap
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap.example.com"
LDAP base DN = "dc=example,dc=com"
Ensure LDAP port 389 is open in iptables or firewalld.
Ensure the /etc/openldap/ldap.conf has the following.
URI ldap://ldap.example.com/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT try
Did you find this article helpful?
If so, consider buying me a coffee over at