[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap SSL/TLS problem

LDAPSEARCH doesn't support LDAPS but does support TLS via the '-Z'
parameter. TLS is not LDAPS (which is really LDAP+SSLv2/SSLv3). TLSv1 is
accomplished by an LDAPv3 "start_tls" extension. It is available only
through a non-SSL port/connection, and only on an LDAPv3 server.

The non-secure LDAPv3 server receives the "start_tls" 'context switch'
from the client, and if able to, goes through the TLS handshake (ala
SSL), and if everything is successful - then enters "secure mode"
(similar to SSL).

The key is to remember that TLS is NOT SSL, and does NOT use an SSL port
or connection.

TLS operations can be confirmed by running SLAPD with the "-d9" debug
parameter. More information about TLS and SSL can be found in the
various docuements distributed with OpenSSL.

On 30 Aug, Jehan PROCACCIA wrote:
> "Kurt D. Zeilenga" wrote:
>> At 02:43 AM 2001-08-30, Jehan PROCACCIA wrote:
>> >Here's my problem:
>> >
>> >$ ldapsearch -Z -H "ldaps://mci21056.int-evry.fr" -b "dc=int-evry,dc=fr"
>> >"uid=procacci"
>> >ldap_start_tls: Operations error
>> >        additional info: TLS already started
>> >ldap_sasl_interactive_bind_s: Unknown authentication method
>> You are trying to run Start TLS over ldaps://.  Since you
>> already started TLS by using ldaps://, issuing a Start
>> TLS command is pointless.  Don't use -Z and ldaps://
>> together.
> Truth is that I'am confused with sasl/ssl/tls !?, ldaps means tls ? an
> ldapsearch without -x nor -Z defaults to tls ? Any doc on this ?
>> Then there appears to be no usable SASL method.  Likely
>> you haven't completed your SASL configuration yet.  Start
>> with setting up the sample client/server (or use -x to
>> use simple bind).
>> Kurt
> I did nothing about sasl, I thought that using ssl was a alternative to
> sasl !? do I need to configure something about sasl in slapd.conf, have
> a sample file ?
> anyway the search works fine with ldapsearch -x, but I want to run a
> secure ldap transaction ...