[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaps vs -ZZ

Because "ldaps" indicates an SSL wrapped service that runs on a port
other than the standard "ldap" port (ldap runs on 389, ldaps runs on

When you give ldapsearch the -ZZ flag you are asking it to use "in-band"
SSL/TLS by using the STARTTLS command.  In other words when you use the
-ZZ option ldapsearch is expecting a cleartext ldap connection that it
will then secure by using STARTTLS.  -ZZ should work fine if you specify
the cleartext ldap port (389) rather than the SSL wrapped ldaps port


* Adam Gautier <adam_gautier@yahoo.com> [040211 13:52]:
> Why does 'ldapsearch -x -H ldaps://myserver.com "cn=*"' work but 
> 'ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ' fails.  Both are using 
> TLS but the second one returns:
> Client:
> %> ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ
> ldap_bind: Can't contact LDAP server (81)
> Server:
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
>  0000:  30 0c 02 01 01 60 07 02  01 03 04                  0....`.....
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
> s23_srvr.c:585
> connection_read(7): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=7 for close
> connection_close: conn=0 sd=7
> Any help would be great and I  can provide more info if needed.  I have 
> search message archives about this to no avail. Any help would be great 
> and greatly appreciated, Thanks.
> Adam

Ben Poliakoff                                email: benp@imap.reed.edu
Reed College                                        tel:  503-788-6674
Unix System Administrator                          PGP key: 0x6AF52019
PGP fingerprint:    A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019