Recently while configuring LDAP over TLS (ldaps://) on CentOS, I encountered a puzzling situation where openssl s_client successfully validated the certificate, but OpenLDAP tools like ldapwhoami and PAM modules rejected it with error TLS error -8172. Here's how I diagnosed and fixed it.
The key error message indicates a trust chain problem:
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.This specifically points to the client-side certificate validation failing, despite the CA certificate being properly installed in /etc/ssl/certs.
First, verify the certificate chain manually:
openssl s_client -connect ldap.domain.tld:636 -CApath /etc/ssl/certs -showcertsThen check OpenLDAP's trust store configuration in /etc/openldap/ldap.conf:
# For system-wide OpenLDAP configuration
TLS_CACERTDIR /etc/ssl/certs
TLS_REQCERT allowThe fundamental issue lies in how OpenLDAP's TLS implementation differs from OpenSSL:
- OpenLDAP requires the CA certificate file to be hashed using OpenSSL's c_rehash utility
- Simply placing the .pem file in /etc/ssl/certs isn't sufficient
- The trust store location might need explicit configuration
Here's the complete fix sequence:
# Install the CA certificate
cp your-ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
# Configure OpenLDAP explicitly
echo "TLS_CACERT /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" >> /etc/openldap/ldap.conf
# Alternative approach using certdir
openssl rehash /etc/ssl/certsTest with both methods:
# Method 1: Direct OpenSSL validation
openssl verify -CApath /etc/ssl/certs /path/to/server.crt
# Method 2: OpenLDAP test
ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld -d 1For enterprise environments, consider these best practices:
# In /etc/openldap/ldap.conf
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
TLS_CACERTDIR /etc/pki/tls/certs
TLS_REQCERT demand
TLS_CRLCHECK allWhen things still don't work:
- Set
export LDAPDEBUG=1before running commands - Check
strace -f ldapwhoami -x -ZZ ...to see exact file access paths - Verify SELinux context with
ls -Z /etc/ssl/certs
I recently encountered a puzzling situation where OpenSSL's s_client successfully verified an LDAPS certificate, while OpenLDAP tools like ldapwhoami stubbornly refused to trust the same certificate:
# LDAPTLS_CACERTDIR=/etc/ssl/certs/ ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
# openssl s_client -connect ldap.domain.tld:636 -CApath /etc/ssl/certs
<... successful tls negotiation stuff ...>
Verify return code: 0 (ok)
After digging through the OpenLDAP documentation and source code, I discovered this occurs because:
- OpenLDAP uses Mozilla NSS trust store format by default, not OpenSSL's format
- The
LDAPTLS_CACERTDIRexpects certificates in a specific hashed format (like OpenSSL'sc_rehashoutput) - Some CentOS/RHEL distributions don't properly maintain the certificate hash links
First, let's check if your CA certificates are properly hashed:
ls -l /etc/ssl/certs/ | grep .pem
# Should show symbolic links like:
# lrwxrwxrwx. 1 root root 49 Mar 15 2022 f4567890.0 -> GlobalSign_Root_CA.pem
If you don't see these hash links, regenerate them:
yum install openssl-perl
c_rehash /etc/ssl/certs/
If the hash links exist but OpenLDAP still complains, try these approaches:
# Method 1: Use CACERT instead of CACERTDIR
LDAPTLS_CACERT=/etc/ssl/certs/ca-bundle.crt ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld
# Method 2: Force OpenLDAP to use system trust store
export LDAPTLS_REQCERT=allow
ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld
# Method 3: Explicitly specify certificate (for testing)
LDAPTLS_CACERT=/path/to/your/ca.pem ldapwhoami -x -ZZ -H ldaps://ldap.domain.tld
For system-wide configuration, edit /etc/openldap/ldap.conf:
TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_REQCERT allow
Or for PAM/LDAP authentication in /etc/pam_ldap.conf:
tls_cacertfile /etc/ssl/certs/ca-bundle.crt
tls_checkpeer no
Enable verbose debugging to see exact certificate validation issues:
LDAPTLS_DEBUG=7 ldapwhoami -x -d 7 -ZZ -H ldaps://ldap.domain.tld
Check if the certificate chain is complete:
openssl s_client -showcerts -connect ldap.domain.tld:636 -CApath /etc/ssl/certs