[Date Prev][Date Next]
Re: (ITS#5273) ldap.conf and TLS as a default
This appears to be the same as ITS#5039. This ITS will be closed, you can
followup to #5039.
> Full_Name: Douglas Klima
> Version: 2.3.
> OS: Linux
> Submission from: (NULL) (188.8.131.52)
> I was looking for a way to make TLS the default in
> /etc/openldap/ldap.conf however it currently seems impossible. You can
> specify LDAP over clear text and LDAP over SSL but you can't specify
> LDAP over TLS (I'm talking about "start_tls"). It seems like ldaps:// is
> deprecated in favor of ldap:// + TLS, which is why I'm trying to
> configure this.
> Currently my /etc/openldap/ldap.conf looks like:
> BASE dc=example,dc=com
> URI ldap://srv1.example.com ldap://srv2.example.com
> TLS_REQCERT demand
> TLS_CACERTDIR /etc/ssl/certs
> If I do the following:
> $ ldapsearch
> ldap_bind: Confidentiality required (13)
> additional info: TLS confidentiality required
> If I change URI to have "ldaps://srv1.example.com:389", then
> $ ldapsearch
> just hangs until it times out. Clearly it's not using start_tls.
> Now if I change URI back to it's original setting and do:
> $ ldapsearch -Z
> # search result
> search: 3
> result: 0 Success
> # numResponses: 54
> # numEntries: 53
> I get a successful lookup. I'm basically looking for a way to pass "-Z"
> in /etc/openldap/ldap.conf and in .ldaprc
> Initially I tried to send this to the OpenLDAP ML but was told by MacJobBz to
> submit this to ITS.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/