Some systems cannot connect to ldap via ldaps, but others can, is it the wildcard cert?

Solution 1:

ldapsearch will say "Can't contact LDAP server" if it can't verify the TLS certificate. Add -d1 to your ldapsearch command, and check the output lines that begin with "TLS:" to get more information about whether the TLS connection is failing and why.

Solution 2:

ldapsearch is looking in /etc/openldap/cacerts for its store of trusted CA certificates, and that apparently is not set up, and thus it is rejecting the certificate since it can't construct a trust chain for it. If ldapsearch were using OpenSSL, it would need a "hashdir" format collection as produced by e.g. the Red Hat "authconfig" program, or a single file with a flat list of trusted certificates. The reference here to "moznss" suggests that this ldapsearch is built against Mozilla NSS, in which case you need to use "certutil" to make the cert db (or better, point it at the system NSS certificate store, if there is one).

On the systems where it's working ldapsearch must have a working certificate store, perhaps because those OpenLDAP packages are built against OpenSSL instead (or maybe there's a working NSS-style store available there).


Solution 3:

Solution depends on your installation:

  • If you are using a non valid cert, you can force accept it configuring /etc/openldap/ldap.conf with

    TLS_REQCERT allow
    

    or

    TLS_REQCERT never
    
  • If you are using a valid cert probably your ldap instalation don't know where store of trusted CA certificates is (probably depending on your OpenSSL installation). Then you can try to set it location and force check configuring /etc/openldap/ldap.conf with

    TLS_CACERT /etc/openldap/cacert
    TLS_REQCERT demand
    

    /etc/openldap/cacert can be this or be located in any path. It must contain certificate chain of your CA. It can be a single file with a flat list of trusted certificates.

Note paths depends on ldap provider. It could be /etc/ldap or /etc/openldap or so.