Re: Netscape to slapd with SSL anonymous OK, login fails

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:43 PM 10/15/00 +0000, Jim Hud wrote:
>Can someone help me understand the problem here please.  It looks like a bug
>in Netscape or slapd (but I have been wrong before).

I've been using Netscape's ldaps:// with slapd without any significant
problems.  I've also tested against numerous other clients (ldaps://
and StartTLS) against slapd.   However, I'm not using the NT port of
slapd.

You're welcome to test your client's against the project's LDAP
server: ldap://ldap.openldap.org (StartTLS) or ldaps://ldap.openldap.org.
With some clients, you may have to use www.openldap.org instead of
ldap.openldap.org due to DNS and Certificate issues.

>Environment: OpenLDAP 2.0.6 NT4 compiled with HAVE_CYRUS_SSL undefined,
>configured for TLS/SSL using OpenSSL 0.9.6.  Own demo CA and certificate in
>use.  Certificate installed in client using Netscape browser
>(https://myserver:636) as per Julio, openldap-devel/199908/msg00039.html
>
>ldapsearch -Z appears to work OK in all four modes (Anon/Login SSL/No SSL)

Note that -Z issues a Start TLS operations but does not require
it to be successful.  Use -ZZ to require successful Start TLS.

Also note that StartTLS is quite different than LDAP over SSL (ldaps://).
The former is the Standard Track mechanism to initiate TLS within
the LDAP session.  The latter is a deprecated mechanism to operate
LDAP over SSL.  Both mechanisms may be used to provide integrity
and privacy protections but are not interoperable.  OpenLDAP 2.0
supports BOTH mechanisms.

I'm not familiar with the NT port...  the logs actually look
fine if you assume the shutdown is intentional.

>slap_sig_shutdown: signal 2