[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS Inquiry

Steve Finkelstein writes:
> [root@bar cacerts]# ldapsearch -x -h "ldap.domain.com" -p 636 -v

You are trying to use the LDAP protocol against the LDAPS port, which
expects the TLS protocol.  That does not work.

The clients do not deduce the protocol from the port number.  They
deduce the _default_ port number (which you can override) from the

There are two ways to use TLS:

1. ldapsearch -x -ZZ -h "ldap.domain.com" ...

This uses the LDAP protocol (on port 389), and -ZZ tells the client to
use the StartTLS LDAP.  This switches to the TLS protocol and then
resumes LDAP "inside" that protocol.

2. ldapsearch -x -H "ldaps://ldap.domain.com/" ...

This uses the LDAPS protocol (on port 636).  This port listens for TLS
as if StartTLS had already been done.

BTW, don't combine -ZZ and ldaps://.  You can't start TLS when TLS is
already started.