Re: debugging tls (apache2 mod_ldap)

[Dick Davies <rasputnik@hellooperator.net>]

* Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0735 20:35]:
> At 03:14 AM 7/14/2004, Dick Davies wrote:
> >Snipping as much irrelevant code as I can, it does the following operations to init 
> >the connection:
> >
> >              ldc->ldap = ldap_init(ldc->host, ldc->port);
> >                if (NULL != ldc->ldap)
> >                {
> >                    int SSLmode = LDAP_OPT_X_TLS_HARD;
> >                    result = ldap_set_option(ldc->ldap, LDAP_OPT_X_TLS, &SSLmode);
> >                }
> 
> >The ldap_set_option call handles both SSL initialization and startTLS, right ?
> 
> s/SSL/TLS/g

See? There I go again :)
 
> ldap_set_option() doesn't cause an LDAP StartTLS operation to be issued.
> There is a separate library function to do that (which, upon successful
> completion of the LDAP operation, will handle the TLS upgrade).  The
> ldap_set_option call, as used here, is handling ldaps:// style
> initialization of TLS.

Thanks, that's really all I wanted to check - these are new servers so it was
possible they were asking for more ssf (or whatever Novells equivalent is) than
the library could give. Glad to say it wasn't that...
 
> I'm clueless as far as mod_ldap is concerned.  I suggest you make sure
> ldapsearch(1) works for both StartTLS and ldaps://.  That will ensure
> the client library is interacting properly with the server.

Thanks, it looks like some wierd build/linking error was the cause -
a colleague took it on himself to handroll a patch into the redhat 7.3
SRPMs and backport tls.c from a more recent OpenLDAP, and suddenly we
are good to go.

Thanks to all posters for advice.

-- 
Think twice before speaking, but don't say "think think click click".
Rasputin :: Jack of All Trades - Master of Nuns