[Date Prev][Date Next]
Re: TLS problem
On Wednesday, 7 July 2010 11:17:27 Cedric Jeanneret wrote:
> I'm trying to configure an openldap with TLS so that all connections are
> Here's the revelent part of my slapd.conf:
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSVerifyClient never
> TLSCertificateFile /etc/ldap/ssl/server.crt
> TLSCertificateKeyFile /etc/ldap/ssl/server.key
> Here's my ldap.conf:
> URI ldaps://my.server.ltd
> BASE dc=my,dc=server,dc=ltd
> LDAP_VERSION 3
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> ssl start_tls
> ssl on
You should *either* use an ldaps:/// URI (for ldaps), or use an ldap:/// URI
with 'ssl start_tls'. While you may have a working client configuration
(probably trying ldaps), you'll probably confuse someone ....
> TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
> While starting slapd with:
> slapd -h 'ldaps:///' -g openldap -u openldap -d 16383
You are only listening on ldaps, so unless you change your -h argument, you
can't do START_TLS.
> and trying to connect to it with:
> ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar"
> -S cn -h my.server.ltd -p 636 cn
So, you have just tried to do a START_TLS bind on the ldaps port, which is
obviously not how things are supposed to work. Either use -H
ldaps:///my.server.tld without -Z, or -H ldap://my.server.tld or -h
my.server.tld *with -Z.
Please note that ldaps (usually port 636) is different to START_TLS, you can't
use both, you can not do START_TLS on the ldaps port, and you can't do ldaps
on the normal ldap port (which is where you do START_TLS).
Since your slapd is only listening on ldaps, you should probably try with -H
ldaps://my.server.tld (no -Z).
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
- TLS problem
- From: Cedric Jeanneret <firstname.lastname@example.org>