Re: OpenLDAP client TLS configuration

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:48 PM 9/21/2006, Kurt D. Zeilenga wrote:
>At 12:00 PM 9/21/2006, Dan O'Reilly wrote:
>>I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) LDAP server.  This LDAP server is properly configured for TLS (as verified by other (non-OpenLDAP) LDAP clients).
>
>Verify the server is configured properly for LDAP over TLS (ldaps://)
>using the OpenSSL s_client program (with certificate verification
>enabled).

I forgot to note that discussion of the use of OpenSSL,
including s_client, should be directed to a list about
OpenSSL, such as <openssl-users@openssl.org>.

>One you have that working, you should be able to translate the
>s_client configuration directly into an ldap.conf configuration
>(OpenLDAP uses OpenSSL, TLS configuration options are directly
>passed to OpenSSL).
>
>Note that s_client does do LDAP specific certificate checks (as
>discussed in RFC 4513)... so don't be surprised if ldapsearch(1)
>(or other OpenLDAP command line programs) fail due to these
>additional checks.
>
>Kurt
>
>
>> I've generated the DER-format P7B file that contains the CA's trusted root certificate and copied it to my VMS system.  However, whenever I try to use, say, ldapsearch with the -ZZ option and port 636, it always comes back with "Can't contact LDAP server (-1)".  When I use port 389 and no TLS, it all works fine.
>>
>>Any ideas?  My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, but I wouldn't swear this file is even being used.