search cancel

ldapsearch over SSL (i.e. ldaps://) does not work while a simple search (i.e. ldap://) works.

book

Article ID: 214321

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You are able to connect with ldap:// to Symantec Directory DSA, but unable to connect via ldaps://.

e.g.
ldapsearch -x -H ldap://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001" (WORKS)
ldapsearch -x -H ldaps://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001" (DOES NOT WORK)

You have confirmed the certs are in good health.
When setting the trace log level to 'all', you may see: 

! [0] Accepting call from TCP 11.111.11.1111:1111
! [1] GetRemoteHostName: No host name
! [1] Call closed 18

Environment

Release : 14.0

Component : CA Directory

Cause

Problem could be due to not setting up environment variable called LDAPTLS_CACERT that is required by 'ldapsearch' command line tool.

Resolution

For Directory tools (i.e. DXtools such as dxsearch, dxmodify etc.) we document the same but the variable is called LDAPCONF as referenced here:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/ca-directory-concepts/directory-ssl-encryption/configuring-the-dxtools-to-use-ssl.html

For LDAP tools, which is out side of Directory product, requirement is to set LDAPTLS_CACERT environment variable the same way as LDAPCONF mentioned above. 

e.g.
env LDAPTLS_CACERT=/etc/openldap/cacerts.pem 

followed by:

ldapsearch -x -H ldaps://FQDN:10389 -LLL -b "dc=company,dc=com" -s sub "uid=id001"