[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap and SSL with AD


What did you do, specifically, to ActiveDirectory to enable it
to "speak" TLS and use Port 636 ???

Is this ALL you did:

In our organization, we have "Windows" administrators, and 
a separate "Unix" administrators/developer group.  I belong
to the Unix group.  The Windows group is  "researching" what is necessary
and what the ramifications are to enabling the TLS connection
to Active Directory.

Your experiences would be helpful.


-----Original Message-----
From: Norbert Klasen
Sent: Thursday, February 13, 2003 9:31 AM
To: Daniel Barron; openldap-software@OpenLDAP.org
Subject: Re: openldap and SSL with AD

--On Donnerstag, 13. Februar 2003 14:49 +0000 Daniel Barron 
<ldaplist@jadeb.com> wrote:

> I have set up the win2k AD to work with LDAPS on port 636 and I have 
> tested it to work with an windows ldap browser that works over SSL.  
> So all that bits done.
> But I have no idea how to change the code to make it connect using 
> I tried ldapsearch with the -ZZ option and -p 636 but all I got was: 
> ldap_init(, 636 )
> ldap_start_tls: Can't contact LDAP server

You're mixing START_TLS (which normally uses port 389) and LDAPS. The -ZZ 
option requires START_TLS which is not supported by AD. Try using
Unless you're server certificate containes a subjectAltName extension of 
type ip address, you'll also need to use the server's FQDN instead of its 

See also http://www.openldap.org/faq/data/cache/185.html