[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back-ldap and ldaps not working
--On Friday, July 07, 2017 6:27 PM +0000 Jon C Kidder <jckidder@aep.com>
wrote:
olcDbStartTLS: ldaps starttls=no
tls_cacert="/appl/openldap/etc/openldap/tls/cacerts.cer"
tls_reqcert=demand tls_crlcheck=none
There is no such option as "starttls" for the olcDbStartTLS parameter.
From the man page:
tls {[try-]start|[try-]propagate|ldaps}
[tls_cert=<file>]
[tls_key=<file>] [tls_cacert=<file>]
[tls_cacertdir=<path>]
[tls_reqcert=never|allow|try|demand]
[tls_cipher_suite=<ciphers>] [tls_crlcheck=none|peer|all]
Specify the use of TLS when a regular connection is
initialized.
The StartTLS extended operation will be used unless the
URI
directive protocol scheme is ldaps://. In that case this
keyword
may only be set to "ldaps" and the StartTLS operation will
not
be used. propagate issues the StartTLS operation only if
the
original connection did. The try- prefix instructs the proxy
to
continue operations if the StartTLS operation failed; its use
is
not recommended.
My guess then is everything past that point is ignored, since you've
provided invalid configuration data.
The attribute is also poorly named, as it may or may not have anything to
do with startTLS. More likely it should have just been called olcDbTLS
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>