[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL in OpenLDAP 2.0 gamma clients

Title: RE: TLS/SSL in OpenLDAP 2.0 gamma clients

OK, so the StartTLS method makes a request over the default port (389) to invoke the startTLS extended operation, right?  Unfortunately, when I try that I get a "protocol error" from iPlanet.  I assume that means iPlanet doesn't support StartTLS.  :-(

The LDAPS is what I really wanted to do anyway.  Unfortunately, the -h option to ldapsearch is for host names only, not for URLs (this arg is passed unmodified to ldap_init(), which wants a hostname).  Is there another way to do this with ldapsearch?  I can use "openssl s_client -connect iplanethost:636" and it establishes an SSLv3 connection fine.  I would rather find a way for the clients and SDK to work with this than to use a wrapper.


-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Thursday, August 24, 2000 1:36 PM
To: Art Corcoran
Cc: 'openldap-software@openldap.org'
Subject: Re: TLS/SSL in OpenLDAP 2.0 gamma clients

At 01:16 PM 8/24/00 -0700, Art Corcoran wrote:
>Here are the details:
>I'm using OpenLDAP 2.0 gamma on Solaris 2.7 built with "--with-tls" and OpenSSL 0.9.5.  I have an iPlanet LDAP server on Win2k with a cert installed.  I can ldapsearch it with SSL from the iPlanet client with no problems.  I can ldapsearch it from openldap without SSL.  When I try to ldapsearch it from openldap with SSL, the TLS never starts.

Do not confuse ldaps:// (LDAP over SSL) with LDAPv3's Start TLS.
Start TLS is the Standard Track LDAPv3 mechanism for initiating TLS (RFC2830).
ldaps:// is an vendor extension which is not documented in any RFC.

>Here is my search string:
>        ldapsearch -d 255 -x -w secret -v -h iplanethost -p 636 -s base -b "" -ZZ "(objectclass=*)"

Try (StartTLS)
        ldapsearch -h iplanethost -ZZ -x -s base -b ""

or (ldaps://):
        ldapsearch -h ldaps://iplanethost -x -s base -b ""