Thanks to all who answered this made me step back and say, "DUH!".
Since it is in the documenetation I should have seen it but I was just
unable to put it all together until now. This was a big sticking block
with my LDAP implementation but this clears it up completely. Would it
make sense to use TLS for pam_ldap, clients, mozilla, etc... and use
LDAPs for replication?|
Dieter Kluenter wrote:
Hi, Adam Gautier <firstname.lastname@example.org> writes:Why does 'ldapsearch -x -H ldaps://myserver.com "cn=*"' work but 'ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ' fails. Both are using TLS but the second one returns: Client: %> ldapsearch -x -h myserver.com -p 636 "cn=*" -ZZ ldap_bind: Can't contact LDAP server (81)[...]Any help would be great and I can provide more info if needed. I have search message archives about this to no avail. Any help would be great and greatly appreciated, Thanks.You have to distinguish between STARTTLS and ldap over SSL. While ldap_start_tls requires a slapd listening on the defined default ldap port (389), thus ldap_start_tls is invoked by the -Z option; ldap over SSL requires slapd listening on a definded secure ldaps port (636) without invocation of ldap_start_tls. In order to make both methods available, you should start ./slapd -h "ldap:/// ldaps:///" -Dieter