Starting TLS from configuration file

[Kent Soper <dksoper@us.ibm.com>]

I've been spinning wheels over how to start TLS in a configuration file.  I
would like to always force a TLS encypted connnection over ldap:// ports
without any TLS code in my applications.  Is this even possible with
OpenLDAP 2.1.17?

Any help would be appreciated.

I  have valid CA, server and client certificates in place and configured in
slapd.conf, ldap.cong and ldaprc.

I have used  a "openssl s_client" command to verify SSL/TLS as well as my
own LDAP client test which inits ldap, sets ldap version, calls
ldap_start_tls_s() for non-ldaps:// ports and calls ldap_simple_bind_s()
and ldapsearch_s().

The two tests work fine for ldaps:// ports (I don't call ldap_start_tls_s()
in my SSL test obviously).  The server debug output contains TLS handshake
info and I'm able to search the directory.

When TLS is started in my test program using ldap_start_tls_s() over port
389, the server debug output contains TLS handshake info and I'm able to
search the directory just like in the SSL tests.

But when I remove ldap_start_tls_s() from the test and try to add various
TLS directives to ldap.conf as has been suggested in this forum, I either
do not see a TLS handhsake or I can't connect to the server.

I've tried adding the following directives:
security tls=128, ssf=128  // in slapd.conf
ssl start_tls
tls hard
StartTLS
Start_TLS
start_tls

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
tie line:     678-9216
external:  1-512-838-9216
e-mail:  dksoper@us.ibm.com