What you need to connect to AD by means of LDAPS
ldapsearch -x -b 'dc=domen,dc=loc' '(objectclass=*)'
I get the error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap.conf:
-=-=-=-=-=-=-=
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=domen,dc=loc
URI ldaps://dc.domen.loc:636
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR /etc/pki/tls/certs
# /etc/openldap/certs
TLS_CACERT /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
TLS_REQCERT never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
-=-=-=-=-=-=
connect to LDAPS AD
Re: connect to LDAPS AD
Does AD listen on port 636 or do you need to talk to port 389 then issue a STARTTLS?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: connect to LDAPS AD
Could you give the output of
Also try using ssl to check if your CA is accepted.It should be something similar to this (check the man page for defining your CA file):
'openssl s_client -connect AD_FQDN:AD_PORT --ca-path-switch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
It should say connected.
Edit:As far as I remmember ldap certs usually reside in '/etc/openldap/cacerts'
Code: Select all
ls -lZ /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
'openssl s_client -connect AD_FQDN:AD_PORT --ca-path-switch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
It should say connected.
Edit:As far as I remmember ldap certs usually reside in '/etc/openldap/cacerts'
Re: connect to LDAPS AD
On a recent install, though default ldap.conf (/etc/openldap/ldap.conf) pointed to /etc/openldap/cacerts, that directory was empty. /etc/openldap/certs had the default certs and switching ldap.conf to point to certs, rather than cacerts, fixed a moderately similar issue for me.
New users should check the FAQ and Read Me First pages
Re: connect to LDAPS AD
If this is using a self-signed cert then /etc/openldap/certs needs to contain a symlink named after the hash of the cert pointing to the cert file: e.g.
The name of the symlink can be found by running /etc/pki/tls/misc/c_hash /etc/openldap/certs/ca.crt
Code: Select all
[root@myldap ~]# ls -la /etc/openldap/certs/
total 188
drwxr-xr-x. 2 root root 4096 Mar 22 2017 .
drwxr-xr-x. 6 root root 4096 Aug 31 2017 ..
lrwxrwxrwx. 1 root root 26 Nov 23 2012 102cda7a.0 -> /etc/openldap/certs/ca.crt
-rw-r--r--. 1 root root 2594 Nov 15 2012 ca.crt
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke