[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: debugging tls (apache2 mod_ldap)

* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
> * Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:

Sorry to reply to my own post, but I've just been reading


and am confused by Kurts earlier post which stated:

>>Ideally I'd happily just use SSL, it looks to me like it's trying to
>>to TLS inside the SSL session, which just seems silly.
>SSL and TLS are two names for the same thing (see archives).
>OpenLDAP Software (including libraries) will error if you
>attempt to do so.
>>Do I have an option to just do SSL without TLS,
>Since SSL is TLS (and TLS is SSL), no.

The url I mentioned seems to back up my earlier assumption that you could 
do SSL without TLS, and vice versa.

What I think is happening is mod_auth_ldap
is trying to do both - presumably that works fine with many configurations, but
no mine. I need to have an SSL tunnel and not worry about TLS.

To illustrate:

[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user
# extended LDIF
# LDAPv3
# base <> with scope sub
# filter: uid=user
# requesting: ALL

[returns the requested entry, no problems]
but requesting TLS fails:

[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
ldap_start_tls: Operations error (1)
        additional info: TLS is is already established
[user@server httpd-2.0.49]$

Does that make any sense?
Maybe we're getting startTLS and TLS confused here?

We are all worms.  But I do believe I am a glowworm.
		-- Winston Churchill
Rasputin :: Jack of All Trades - Master of Nuns