Troubleshooting LDAP

Laboratory machines sometimes lack an appropriate intermediate certificate in order to trust the LDAP server certificate. You can prepend the environment variable LDAPTLS_REQCERT=never to test connectivity with ldapsearch:

LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://ldapserver.example.org -b dc=example,dc=org 'uid=adam' -D "cn=admin,dc=example,dc=org" -w adminpassword

There are two cases where explicit intermediate CA configuration is needed:

  • ldapsearch works correctly with LDAPTLS_REQCERT=never but fails otherwise.
  • ldapsearch works correctly, but database authentication still fails with a PostgreSQL error message such as "LDAP diagnostics: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed".

In either case, you need to define the intermediate CA in $HOME/ldaprc or $HOME/.ldaprc for the yugabyte user. The following example file /home/yugabyte/ldaprc shows the TLS_CACERT option pointing to the CA certificate used by the LDAP server. You need to obtain this CA file and place it locally on each client machine.

TLS_CACERT /etc/ssl/certs/ca-bundle.trust.crt

If the TLS_CACERT option is not set in $HOME/ldaprc, it will not work in the system-wide OpenLDAP configuration file /etc/openldap/ldap.conf.