[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Starting TLS from configuration file

To: openldap-software@OpenLDAP.org
Subject: Re: Starting TLS from configuration file
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Thu, 15 May 2003 20:02:44 +0200
In-reply-to: <OF3E52BC40.B210BA4A-ON87256D27.00547105-86256D27.0055D928@us.ibm.com> (Kent Soper's message of "Thu, 15 May 2003 10:38:10 -0500")
References: <OF3E52BC40.B210BA4A-ON87256D27.00547105-86256D27.0055D928@us.ibm.com>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Kent Soper <dksoper@us.ibm.com> writes:

> I've been spinning wheels over how to start TLS in a configuration file.  I
> would like to always force a TLS encypted connnection over ldap:// ports
> without any TLS code in my applications.  Is this even possible with
> OpenLDAP 2.1.17?
>
> Any help would be appreciated.

>
> But when I remove ldap_start_tls_s() from the test and try to add various
> TLS directives to ldap.conf as has been suggested in this forum, I either
> do not see a TLS handhsake or I can't connect to the server.
>
> I've tried adding the following directives:
> security tls=128, ssf=128  // in slapd.conf
> ssl start_tls
> tls hard
> StartTLS
> Start_TLS
> start_tls

'ssl start_tls' is NOT an OpenLDAP directive but an PAM directive.
Don't forget that STARTTLS is client oriented, that is, the server
offers the ability but the client has to accept the servers
certificate and initiate an encrypted connection. In other words, a
client has to be enabled and configured to start a TLS connection. OpenLDAP
clients are configured by means of the flag -Z.

-Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com
http://www.schevolution.com/tour

References:
- Starting TLS from configuration file
  - From: Kent Soper <dksoper@us.ibm.com>

Prev by Date: Re: Still: Need an example of admin changing a users password...
Next by Date: Re: matching rules
Index(es):
- Chronological
- Thread