[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldaps vs -ZZ
Because "ldaps" indicates an SSL wrapped service that runs on a port
other than the standard "ldap" port (ldap runs on 389, ldaps runs on
636).
When you give ldapsearch the -ZZ flag you are asking it to use "in-band"
SSL/TLS by using the STARTTLS command. In other words when you use the
-ZZ option ldapsearch is expecting a cleartext ldap connection that it
will then secure by using STARTTLS. -ZZ should work fine if you specify
the cleartext ldap port (389) rather than the SSL wrapped ldaps port
(636).
Ben
* Adam Gautier <adam_gautier@yahoo.com> [040211 13:52]:
> Why does 'ldapsearch -x -H ldaps://myserver.com "cn=*"' work but
> 'ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ' fails. Both are using
> TLS but the second one returns:
>
> Client:
> %> ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ
> ldap_bind: Can't contact LDAP server (81)
>
> Server:
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
> 0000: 30 0c 02 01 01 60 07 02 01 03 04 0....`.....
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:585
> connection_read(7): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=7 for close
> connection_close: conn=0 sd=7
>
> Any help would be great and I can provide more info if needed. I have
> search message archives about this to no avail. Any help would be great
> and greatly appreciated, Thanks.
>
> Adam
>
--
_______________________________________________________________________
Ben Poliakoff email: benp@imap.reed.edu
Reed College tel: 503-788-6674
Unix System Administrator PGP key: 0x6AF52019
PGP fingerprint: A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019