Re: SSL/TLS help

hi matthew,

it works like this. i don't know which OS you are using, but i've this setup
working for a homogenous linux-network. you've got to specify -ZZ btw if you
use ldapsearch to get tls-authentication. should you use only linux, you can
shut down port 636, it won't be used.

first set up the whole functionality without any TLS/SASL/etc., just the
bare ldap-connections.
if you got that working, create a certificate with your own CA like
described in this manual, that i can't find anymore on the net and therefore placed
on my webspace:
having that, tell your slapd.conf the location of your certificates and
keys. if you authenticate and automount via ldap, tell
pam_ldap.conf/libnss_ldap.conf (on the clients) that they should use startTLS (use start_tls) and
specify the location of cacert.pem on the clients /etc/ldap.conf.
that should do.

good luck

> Hello,
>    I'm having an issue between client/server SSL/TLS authentication.  
> Basically, I want to use TLS, but *not* SASL.  Unfortunately, everytime 
> a client queries the server, they look for the attribute 
> "supportedSASLMechanisms", which the server doesn't have, so it reports 
> "No such object."
> here's the log output:
> client
> ======
> [root@charles root]# /usr/local/bin/ldapsearch -d4
> request 1 done
> ldap_sasl_interactive_bind_s: No such object (32)
> server
> ======
> [~]{56}# /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d4
> daemon_init: ldap:/// ldaps:///
> bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 
> 2002)
> bdb_db_init: Initializing BDB database
> bdb_db_open: dc=esm,dc=lanl,dc=gov
> slapd starting
> connection_get(14)
> SRCH "" 0 0    0 0 0
>      filter: (objectClass=*)
>      attrs: supportedSASLMechanisms
> send_ldap_result: err=0 matched="" text=""
> connection_get(14)
> What I want to know is if there's a way to use TLS w/o SASL?  The 
> certificates all negotiate fine, etc.  But the client hangs up on this. 
>   Any ideas would be *greatly* appreciated.  I've been trying to get 
> this stuff to work right for ages.
> Thanks,
> Matt Riedel

