[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL/TLS Inquiry

To: openldap-software@openldap.org
Subject: SSL/TLS Inquiry
From: Steve Finkelstein <sf@stevefink.net>
Date: Sun, 18 Feb 2007 23:28:42 -0500
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923)

Hi all,

Apologies for not grasping some rudimentary TLS/SSL concepts with the
LDAP protocol, but I have a basic question.

I've configured my OpenLDAP server and have successfully been able to
use the posixAccount objectClass to have a user login with pam_ldap over
SSH on a client server. However, on the same token, when I try from the
client server below to conduct and ldap search, I receive an error:

[root@bar cacerts]# ldapsearch -x -h "ldap.domain.com" -p 636 -v
ldap_start_tls: Can't contact LDAP server (-1)
ldap_bind: Can't contact LDAP server (-1)

On the server's log file:

Feb 18 23:03:11 firewall slapd[4775]: conn=3 fd=12 ACCEPT from
IP=10.0.0.5:1072 (IP=0.0.0.0:636)
Feb 18 23:03:11 firewall slapd[4775]: conn=3 fd=12 closed (TLS
negotiation failure)

Clearly SSL/TLS is not properly negotiating here, but that's something I
need to figure out in a few. My real question here is, when I
established an ssh connection with my client server and the client
server grabbed the credentials from LDAP server, does the above
inadvertently imply that the packets were not negotiated via SSL/TLS? I
was only testing ldapsearch to ensure that I have anonymous searches
disabled, but the concern that I'm working without encryption spiked my
curiosity if my logins are going unencrypted also because that's
something I'd ultimately need to address.

Thanks much for any knowledge anyone can pass along!

- Steve

Follow-Ups:
- Re: SSL/TLS Inquiry
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: AW: AW: slapcat hangs without error message
Next by Date: Re: OpenLDAP 2.4
Index(es):
- Chronological
- Thread