[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Trying to get TLS Working




-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David Wheeler
Sent: Monday, September 27, 2004 8:34 PM
To: Howard Chu
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: Trying to get TLS Working


On Sep 27, 2004, at 4:59 PM, David Wheeler wrote:

>> Also, you didn't mention whether you've configured your ldap.conf 
>> properly. I will assume since you didn't mention it that you haven't 
>> configured it, and this obviously must be done first.
>
> Quite so. I hadn't even noticed it. I only saw instructions for 
> editing an ldap.conf used by pam and nis, neither of which I'm using 
> at this point. I'll take a look at its man page and see what it says.

This did the trick. I added a pointer to my CA cert to ldap.conf, and 
then it said:

         additional info: TLS: hostname does not match CN in peer 
certificate

Well, I'm used to that from creating self-signed certs for Apache. So I 
created a new server cert with the CN set to the hostname of my LDAP 
server, and now ldapsearch -ZZ works beautifully!

I did notice that it tends to have this complaint:

ldap_start_tls: Operations error (1)
         additional info: TLS already started

When I specify "ldaps://ldap.ecample.com/" for the URL in ldap.conf. 
That seems rather odd, but it goes away when I change it to "ldap://";.



youll see this error in the archives of this mail list...  this is due to trying to initiate tls over an already encrypted session, in your case ldaps (ldap/ssl). 
  
NOTICE: This E-mail may contain confidential information. If you are not 
the addressee or the intended recipient please do not read this E-mail 
and please immediately delete this e-mail message and any attachments 
from your workstation or network mail system. If you are the addressee 
or the intended recipient and you save or print a copy of this E-mail, 
please place it in an appropriate file, depending on whether 
confidential information is contained in the message.