[Date Prev][Date Next]
Re: OpenLDAP client TLS configuration
At 12:00 PM 9/21/2006, Dan O'Reilly wrote:
>I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) LDAP server. This LDAP server is properly configured for TLS (as verified by other (non-OpenLDAP) LDAP clients).
Verify the server is configured properly for LDAP over TLS (ldaps://)
using the OpenSSL s_client program (with certificate verification
One you have that working, you should be able to translate the
s_client configuration directly into an ldap.conf configuration
(OpenLDAP uses OpenSSL, TLS configuration options are directly
passed to OpenSSL).
Note that s_client does do LDAP specific certificate checks (as
discussed in RFC 4513)... so don't be surprised if ldapsearch(1)
(or other OpenLDAP command line programs) fail due to these
> I've generated the DER-format P7B file that contains the CA's trusted root certificate and copied it to my VMS system. However, whenever I try to use, say, ldapsearch with the -ZZ option and port 636, it always comes back with "Can't contact LDAP server (-1)". When I use port 389 and no TLS, it all works fine.
>Any ideas? My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, but I wouldn't swear this file is even being used.