[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client TLS configuration

Port 636 is for SSL, while -ZZ sends the Start TLS Extended Operation (sent to a plaintext port). The two wouldn't usually be used together. Try either ldapsearch -ZZ -H ldap://host/ or ldapsearch -H ldaps://host:636/ but not ldapsearch -ZZ -H ldap://host:636, for example.

On Thu, 21 Sep 2006, Dan O'Reilly wrote:

I'm trying to get an OpenLDAP client to use TLS to talk to (non-OpenLDAP) LDAP server. This LDAP server is properly configured for TLS (as verified by other (non-OpenLDAP) LDAP clients). I've generated the DER-format P7B file that contains the CA's trusted root certificate and copied it to my VMS system. However, whenever I try to use, say, ldapsearch with the -ZZ option and port 636, it always comes back with "Can't contact LDAP server (-1)". When I use port 389 and no TLS, it all works fine.

Any ideas? My LDAP.CONF file has TLS_CACERT and TLS_CACERTDIR entries in it, but I wouldn't swear this file is even being used.