[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problem



On Wednesday, 7 July 2010 11:17:27 Cedric Jeanneret wrote:
> Hello,
> 
> I'm trying to configure an openldap with TLS so that all connections are
>  encrypted.
> 
> Here's the revelent part of my slapd.conf:
> 
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSVerifyClient never
> TLSCertificateFile /etc/ldap/ssl/server.crt
> TLSCertificateKeyFile /etc/ldap/ssl/server.key
> 
> Here's my ldap.conf:
> 
> URI ldaps://my.server.ltd
> BASE dc=my,dc=server,dc=ltd
> LDAP_VERSION 3
> 
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> ssl start_tls
> ssl on

You should *either* use an ldaps:/// URI (for ldaps), or use an ldap:/// URI 
with 'ssl start_tls'. While you may have a working client configuration 
(probably trying ldaps), you'll probably confuse someone ....

> TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
> 
> 
> While starting slapd with:
> slapd -h 'ldaps:///' -g openldap -u openldap  -d 16383

You are only listening on ldaps, so unless you change your -h argument, you 
can't do START_TLS.

> 
> and trying to connect to it with:
> ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar"
>  -S cn -h my.server.ltd -p 636 cn

So, you have just tried to do a START_TLS bind on the ldaps port, which is 
obviously not how things are supposed to work. Either use -H 
ldaps:///my.server.tld without -Z, or -H ldap://my.server.tld or -h 
my.server.tld *with -Z.

Please note that ldaps (usually port 636) is different to START_TLS, you can't 
use both, you can not do START_TLS on the ldaps port, and you can't do ldaps 
on the normal ldap port (which is where you do START_TLS).

Since your slapd is only listening on ldaps, you should probably try with -H 
ldaps://my.server.tld (no -Z).

> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Regards,
Buchan