[Date Prev][Date Next]
RE: Trying to get TLS Working
- To: <OpenLDAP-software@OpenLDAP.org>
- Subject: RE: Trying to get TLS Working
- From: "Chapman, Kyle" <Kyle_Chapman@G1.com>
- Date: Tue, 28 Sep 2004 01:00:42 -0400
- Content-class: urn:content-classes:message
- Importance: normal
- Thread-index: AcSlFzaK5AKH/NfKThK/+xzYOcqlFgAAv3vw
- Thread-topic: Trying to get TLS Working
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David Wheeler
Sent: Monday, September 27, 2004 8:34 PM
To: Howard Chu
Subject: Re: Trying to get TLS Working
On Sep 27, 2004, at 4:59 PM, David Wheeler wrote:
>> Also, you didn't mention whether you've configured your ldap.conf
>> properly. I will assume since you didn't mention it that you haven't
>> configured it, and this obviously must be done first.
> Quite so. I hadn't even noticed it. I only saw instructions for
> editing an ldap.conf used by pam and nis, neither of which I'm using
> at this point. I'll take a look at its man page and see what it says.
This did the trick. I added a pointer to my CA cert to ldap.conf, and
then it said:
additional info: TLS: hostname does not match CN in peer
Well, I'm used to that from creating self-signed certs for Apache. So I
created a new server cert with the CN set to the hostname of my LDAP
server, and now ldapsearch -ZZ works beautifully!
I did notice that it tends to have this complaint:
ldap_start_tls: Operations error (1)
additional info: TLS already started
When I specify "ldaps://ldap.ecample.com/" for the URL in ldap.conf.
That seems rather odd, but it goes away when I change it to "ldap://".
youll see this error in the archives of this mail list... this is due to trying to initiate tls over an already encrypted session, in your case ldaps (ldap/ssl).
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.