[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client TLS configuration

At 12:00 PM 9/21/2006, Dan O'Reilly wrote:
>I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) LDAP server.  This LDAP server is properly configured for TLS (as verified by other (non-OpenLDAP) LDAP clients).

Verify the server is configured properly for LDAP over TLS (ldaps://)
using the OpenSSL s_client program (with certificate verification

One you have that working, you should be able to translate the
s_client configuration directly into an ldap.conf configuration
(OpenLDAP uses OpenSSL, TLS configuration options are directly
passed to OpenSSL).

Note that s_client does do LDAP specific certificate checks (as
discussed in RFC 4513)... so don't be surprised if ldapsearch(1)
(or other OpenLDAP command line programs) fail due to these
additional checks.


> I've generated the DER-format P7B file that contains the CA's trusted root certificate and copied it to my VMS system.  However, whenever I try to use, say, ldapsearch with the -ZZ option and port 636, it always comes back with "Can't contact LDAP server (-1)".  When I use port 389 and no TLS, it all works fine.
>Any ideas?  My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, but I wouldn't swear this file is even being used.