[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL in OpenLDAP 2.0 gamma clients

Title: TLS/SSL in OpenLDAP 2.0 gamma clients

Is there a bug in starting TLS/SSL from clients?  I can make it work with a code change in libldap, but can't figure out how to make it work otherwise.

Here are the details:
I'm using OpenLDAP 2.0 gamma on Solaris 2.7 built with "--with-tls" and OpenSSL 0.9.5.  I have an iPlanet LDAP server on Win2k with a cert installed.  I can ldapsearch it with SSL from the iPlanet client with no problems.  I can ldapsearch it from openldap without SSL.  When I try to ldapsearch it from openldap with SSL, the TLS never starts.

Here is my search string:
        ldapsearch -d 255 -x -w secret -v -h iplanethost -p 636 -s base -b "" -ZZ "(objectclass=*)"

In libldap:open.c:ldap_int_open_connection(), TLS never starts because ldap_pvt_tls_start() (line 363) is never called.  To be called, either the "ldo_tls_mode" must be "LDAP_OPT_X_TLS_HARD" or the "lud_scheme" must be "ldaps".  However, neither of these conditions are true.

If I add a line to the beginning of ldap_start_tls_s() that sets ld->ld_options.ldo_defludp->lud_scheme to "ldaps", then TLS starts fine.

Am I missing a flag to ldapsearch or a config option to OpenSSL?  Or is this a bug?