[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client TLS configuration

To: "Dan O'Reilly" <dano@process.com>
Subject: Re: OpenLDAP client TLS configuration
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Thu, 21 Sep 2006 15:58:51 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <6.1.2.0.2.20060921125819.02eb8e28@192.168.0.11>
References: <6.1.2.0.2.20060921125819.02eb8e28@192.168.0.11>

Port 636 is for SSL, while -ZZ sends the Start TLS Extended Operation (sent to a plaintext port). The two wouldn't usually be used together. Try either ldapsearch -ZZ -H ldap://host/ or ldapsearch -H ldaps://host:636/ but not ldapsearch -ZZ -H ldap://host:636, for example.

On Thu, 21 Sep 2006, Dan O'Reilly wrote:

I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) LDAP server. This LDAP server is properly configured for TLS (as verified by other (non-OpenLDAP) LDAP clients). I've generated the DER-format P7B file that contains the CA's trusted root certificate and copied it to my VMS system. However, whenever I try to use, say, ldapsearch with the -ZZ option and port 636, it always comes back with "Can't contact LDAP server (-1)". When I use port 389 and no TLS, it all works fine.

Any ideas? My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, but I wouldn't swear this file is even being used.

References:
- OpenLDAP client TLS configuration
  - From: "Dan O'Reilly" <dano@process.com>

Prev by Date: Re: OpenLDAP client TLS configuration
Next by Date: Re: Need some help with ACLs
Index(es):
- Chronological
- Thread