[Date Prev][Date Next]
Re: ldap-ssl trouble .....
Thanks a lot for you explanation Mister Chu !!
Some light in the darkness....
So there is two way to work with TLS / SSL
1) Normal connection on port 389 ( or an another you can specify when
lounching the server and in the client, that was my mistake :-/ ) and then
turn TLS/SSL with the start TLS request ( -Z option )!
In this way you don't need to run ldaps://
I verified it : only lounch the normal server ( and retired the port number
636 in my ldap.conf sigh' ) #>ldapsearch -x -Z -b o=societe.fr sn=Wayne
works better ( i still have an error but it's with the certificate, i will
work on it a little bit more to find how to correct....)
But with this way the identification / connexion is established in clear....
2) Full secured communication ( connection && data ) with the ldaps://
server on port 636 where SSL take !
This is the way i would prefer because password would be crypted....
This is not standard ?
Can I use ldapsearch to communicate with such a server ? If yes, how ?
Thanks for every help...
----- Original Message -----
From: "Howard Chu" <firstname.lastname@example.org>
To: "Kaufmann Lionel" <email@example.com>; <openldap-software@OpenLDAP.org>
Sent: Thursday, February 14, 2002 1:52 PM
Subject: RE: ldap-ssl trouble .....
> Port 636 is used for LDAP on SSL. This means that SSL is part of the
> connection from the very beginning. This is the way SSL was used with
> LDAPv2, but is not
> part of any documented standard. The "-Z" option to ldapsearch uses the
> Start TLS request which is defined in LDAPv3. This assumes a connection
> was created in the clear, and which then has TLS/SSL activated on it in
> response to this Start TLS request.
> By setting up your ldap.conf in this manner you're trying to initiate a
> clear text connection on a port that is expecting SSL, which obviously
> doesn't work. If you're going to use Start TLS you don't need to use port
> 636 at all. If you want to use port 636, you cannot use Start TLS on that
> port because TLS will already be active before any LDAP requests can be
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support