[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client TLS configuration



At 12:00 PM 9/21/2006, Dan O'Reilly wrote:
>I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) LDAP server.  This LDAP server is properly configured for TLS (as verified by other (non-OpenLDAP) LDAP clients).

Verify the server is configured properly for LDAP over TLS (ldaps://)
using the OpenSSL s_client program (with certificate verification
enabled).

One you have that working, you should be able to translate the
s_client configuration directly into an ldap.conf configuration
(OpenLDAP uses OpenSSL, TLS configuration options are directly
passed to OpenSSL).

Note that s_client does do LDAP specific certificate checks (as
discussed in RFC 4513)... so don't be surprised if ldapsearch(1)
(or other OpenLDAP command line programs) fail due to these
additional checks.

Kurt


> I've generated the DER-format P7B file that contains the CA's trusted root certificate and copied it to my VMS system.  However, whenever I try to use, say, ldapsearch with the -ZZ option and port 636, it always comes back with "Can't contact LDAP server (-1)".  When I use port 389 and no TLS, it all works fine.
>
>Any ideas?  My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, but I wouldn't swear this file is even being used.