Troubleshooting
Problem
LDAP Search "Can't contact LDAP server" because "Peer's Certificate issuer is not recognized"
Symptom
Ldapsearch fails as follows:
TLS: certdb config: configDir='/nz/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/nz/certs', error -8018:Unknown PKCS #11 error.
TLS: skipping 'IBMIssuingCA1.zip' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'IBMAutoEnrollmentCA1.crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'IBMIssuingCA1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'IBMAutoEnrollmentCA1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'IBMInternalRootCA1.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'IBMIssuingCA1.crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'IBMInternalRootCA1.crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=test@ibm.com,CN=ldapssl,O=IBM,L=Miami,ST=FL,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Cause
Origin of security certificate is unknown
Resolving The Problem
If you're using self-signed certificates, add TLS_REQCERT allow to /etc/pam_ldap.conf (RHEL 6x) or /etc/ldap.conf (RHEL 5x), /etc/openldap/ldap.conf and /nz/data/config/pam_ldap.conf to allow certificates the clients can't validate.
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21975816