[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: debugging tls (apache2 mod_ldap)

Dick Davies wrote:
* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:

* Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:

Sorry to reply to my own post, but I've just been reading


and am confused by Kurts earlier post which stated:

Ideally I'd happily just use SSL, it looks to me like it's trying to
to TLS inside the SSL session, which just seems silly.

SSL and TLS are two names for the same thing (see archives).
OpenLDAP Software (including libraries) will error if you
attempt to do so.

Do I have an option to just do SSL without TLS,

Since SSL is TLS (and TLS is SSL), no.

The url I mentioned seems to back up my earlier assumption that you could do SSL without TLS, and vice versa.

What I think is happening is mod_auth_ldap
is trying to do both - presumably that works fine with many configurations, but
no mine. I need to have an SSL tunnel and not worry about TLS.

To illustrate:

[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user # extended LDIF # # LDAPv3 # base <> with scope sub # filter: uid=user # requesting: ALL #

[returns the requested entry, no problems]
but requesting TLS fails:

[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
ldap_start_tls: Operations error (1)
        additional info: TLS is is already established
[user@server httpd-2.0.49]$

Does that make any sense?
Maybe we're getting startTLS and TLS confused here?

/opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user

should be ...

/opt/bin/ldapsearch -ZZ -x -H 'ldap://ldaphost.domain/o=org' uid=user

TLS uses the default port (ldap - 389). You tried to start TLS for a session which was already encryted (ldaps - 636).

Dave Lewney
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956