LDAP

From Segfault
Jump to: navigation, search

Installation

TBD

Usage

ldapsearch

Sometimes, ldapsearch may be unable to establish a connection:

$ ldapsearch -H ldaps://localhost:1636 -b ou=people,dc=example,dc=net -D username -W -x -v
ldap_initialize( ldaps://localhost:1636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Raising the debuglevel reveals:

$ ldapsearch -H ldaps://localhost:1636 -b ou=people,dc=example,dc=net -D username -W -x -v -d 1
ldap_url_parse_ext(ldaps://localhost:1636)
ldap_initialize( ldaps://localhost:1636/??base )
ldap_create
ldap_url_parse_ext(ldaps://localhost:1636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:1636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 1636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

As we're connecting through an SSH tunnel to the LDAP server, the certificate CN won't match localhost:1636 and the connection fails. To force accepting the connection, we can add the following to ~/.ldaprc:

TLS_REQCERT allow

Links