[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap-ssl trouble .....

To: <openldap-software@OpenLDAP.org>
Subject: Re: ldap-ssl trouble .....
From: "Kaufmann Lionel" <wayne-cci@noos.fr>
Date: Thu, 14 Feb 2002 16:12:54 +0100
References: <NMEFLNHODBAOPDKNNJALMEIICFAA.hyc@highlandsun.com>

Thanks a lot for you explanation Mister Chu !!
Some light in the darkness....

So there is two way to work with TLS / SSL

1)  Normal connection on port 389 ( or an another you can specify when
lounching the server and in the client, that was my mistake :-/ )  and then
turn TLS/SSL with the start TLS request  ( -Z option )!
In this way you don't need to run ldaps://

I verified it : only lounch the normal server ( and retired the port number
636 in my ldap.conf  sigh' ) #>ldapsearch -x -Z -b o=societe.fr sn=Wayne
works better ( i still have an error but it's with the certificate,  i will
work on it a little bit more to find how to correct....)

But with this way the identification / connexion is established in clear....

2) Full secured communication ( connection && data ) with the ldaps://
server on port 636 where SSL take  !

This is the way i would prefer because password would be crypted....

This is not standard ?
Can I use ldapsearch to communicate with such a server ? If yes, how ?

Thanks for every help...
Best reguards

----- Original Message -----
From: "Howard Chu" <hyc@highlandsun.com>
To: "Kaufmann Lionel" <wayne-cci@noos.fr>; <openldap-software@OpenLDAP.org>
Sent: Thursday, February 14, 2002 1:52 PM
Subject: RE: ldap-ssl trouble .....


> Port 636 is used for LDAP on SSL. This means that SSL is part of the
> connection from the very beginning. This is the way SSL was used with
> LDAPv2, but is not
> part of any documented standard. The "-Z" option to ldapsearch uses the
> Start TLS request which is defined in LDAPv3. This assumes a connection
that
> was created in the clear, and which then has TLS/SSL activated on it in
> response to this Start TLS request.
>
> By setting up your ldap.conf in this manner you're trying to initiate a
> clear text connection on a port that is expecting SSL, which obviously
> doesn't work. If you're going to use Start TLS you don't need to use port
> 636 at all. If you want to use port 636, you cannot use Start TLS on that
> port because TLS will already be active before any LDAP requests can be
> processed.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>

Follow-Ups:
- Re: ldap-ssl trouble .....
  - From: "Carl J Meyer" <carljm@goshen.edu>

References:
- RE: ldap-ssl trouble .....
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: ldap && /etc/pam.d/system-auth
Next by Date: Re: ldap && /etc/pam.d/system-auth
Index(es):
- Chronological
- Thread