[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problems

Buchan Milne wrote:
It seems you don't seem to understand the difference between SASL and TLS.

As it turns out, that's probably true. (I thought it was "simpler" than it really is...)

Since the subject of your mail is about TLS, I assume that simple binds (where the cleartext password is sent to the LDAP server) are acceptable, *if* they are sent over an encrypted connection (e.g. TLS).


1)Always use -ZZ (with -x of course) if your LDAP server supports the STARTTLS operation
2)Use an ldaps:// URI, if your LDAP server is listening on the ldaps port (e.g. slapd started with -h 'ldap:/// ldaps:///')
3)Set the URI in the OpenLDAP library configuration file (usually /etc/openldap/ldap.conf, or /etc/ldap/ldap.conf on Debian) to a URI containing ldaps://

The following works:
ldapsearch -x -ZZ -h ldap-server.example.com
ldapsearch -x -H ldaps://ldap-server.example.com
ldapsearch -x -H ldaps://ldap-server.example.com -D "cn=manager,dc=example,dc=com" -W

4)Enforce encryption on the server side for all operations via the 'security' directives in slapd.conf
5)Enforce encryption on the server side for operations on specific attributes via the ssf keyword in ACLs ("access" directives).

Perfect. That's next on my list.

It is possible that the upgrade to 2.3.35 (from 2.2.13) fixed whatever problem I was having.

Thanx so much for everyone's help.