ldapsearch over SSL (i.e. ldaps://) does not work while a simple search (i.e. ldap://) works.

book

Article ID: 214321

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You are able to connect with ldap:// to Symantec Directory DSA, but unable to connect via ldaps://.

e.g.
ldapsearch -x -H ldap://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001" (WORKS)
ldapsearch -x -H ldaps://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001" (DOES NOT WORK)

You have confirmed the certs are in good health.
When setting the trace log level to 'all', you may see: 

! [0] Accepting call from TCP 11.111.11.1111:1111
! [1] GetRemoteHostName: No host name
! [1] Call closed 18

Cause

Problem could be due to not setting up environment variable called LDAPTLS_CACERT that is required by 'ldapsearch' command line tool.

Environment

Release : 14.0

Component : CA Directory

Resolution

For Directory tools (i.e. DXtools such as dxsearch, dxmodify etc.) we document the same but the variable is called LDAPCONF as referenced here:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/ca-directory-concepts/directory-ssl-encryption/configuring-the-dxtools-to-use-ssl.html

For LDAP tools, which is out side of Directory product, requirement is to set LDAPTLS_CACERT environment variable the same way as LDAPCONF mentioned above. 

e.g.
env LDAPTLS_CACERT=/etc/openldap/cacerts.pem 

followed by:

ldapsearch -x -H ldaps://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001"