So I've got a Solaris 11 ldap client which is talking to a couple of linux servers (one master in another data center, and a slave which is in the local data center.)
When I have it talk to the master, it works fine:
bash-4.1# ldapsearch -x -ZZ -h ldap-master.example.com -b 'ou=groups,dc=example,dc=com' cn=login-prod
But when I talk to the local server it fails immediately:
bash-4.1# ldapsearch -x -ZZ -h ldap-local.example.com -b 'ou=groups,dc=example,dc=com' cn=login-prod
ldap_search: Can't contact LDAP server
However, if I drop the TLS requirement (remove the -ZZ flag) it works fine.
bash-4.1# ldapsearch -x -h ldap-local.example.com -b 'ou=groups,dc=example,dc=com' cn=login-prod
Now the weird thing is that the linux clients don't have any problem using TLS to either server, and I'm pretty sure it's not a certificate issue, but I when I try to pass the debug flag (-d 1), I get the warning "compile with -DLDAP_DEBUG for debugging" and no extra info.
Where should I be looking?
I figured it out. Turns out that linux ldapsearch clients are using TLS, but the -Z flag to the solaris ldapsearch client just forces SSL/ldaps, and there was a misconfiguration in the load balancer for port 636.