Re: TLS/SSL problems

[Craig <craig5@pobox.com>]

Buchan Milne wrote:
> It seems you don't seem to understand the difference between SASL and TLS. 

As it turns out, that's probably true. (I thought it was "simpler" than 
it really is...)

> Since the subject of your mail is about TLS, I assume that simple binds 
> (where the cleartext password is sent to the LDAP server) are acceptable, 
> *if* they are sent over an encrypted connection (e.g. TLS).

Exactly.

> 1)Always use -ZZ (with -x of course) if your LDAP server supports the STARTTLS 
> operation
> 2)Use an ldaps:// URI, if your LDAP server is listening on the ldaps port 
> (e.g. slapd started with -h 'ldap:/// ldaps:///')
> 3)Set the URI in the OpenLDAP library configuration file 
> (usually /etc/openldap/ldap.conf, or /etc/ldap/ldap.conf on Debian) to a URI 
> containing ldaps://

The following works:
ldapsearch -x -ZZ -h ldap-server.example.com
-or-
ldapsearch -x -H ldaps://ldap-server.example.com
-or-
ldapsearch -x -H ldaps://ldap-server.example.com -D 
"cn=manager,dc=example,dc=com" -W


> 4)Enforce encryption on the server side for all operations via the 'security' 
> directives in slapd.conf
> 5)Enforce encryption on the server side for operations on specific attributes 
> via the ssf keyword in ACLs ("access" directives).

Perfect. That's next on my list.

It is possible that the upgrade to 2.3.35 (from 2.2.13) fixed whatever 
problem I was having.

Thanx so much for everyone's help.

Craig