On a centos machine ldapsearch was not giving me much love when accessing a Microsoft Global directory server via ldaps and a given port. The error message I got was:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
When turning up debug level via -d 1 as in
ldapsearch -d 1 -v -H ldaps://servername:portnumber
I got the bit more revealing error message:
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
It turns out that a simple line like
TLS_REQCERT never
in ldap.conf makes things better. In my particular install a simple ‘locate ldap.conf’ was a bit misleading. The true location of your config file can be revealed via:
strace ldapsearch -v -H ldaps://servername:portnumber 2>&1 | grep ldap.conf