Re: back-ldap and ldaps not working

[Quanah Gibson-Mount <quanah@symas.com>]

--On Friday, July 07, 2017 6:27 PM +0000 Jon C Kidder <jckidder@aep.com> 
wrote:


> olcDbStartTLS: ldaps  starttls=no
> tls_cacert="/appl/openldap/etc/openldap/tls/cacerts.cer"
> tls_reqcert=demand tls_crlcheck=none

There is no such option as "starttls" for the olcDbStartTLS parameter. 
> From the man page:

      tls        {[try-]start|[try-]propagate|ldaps} 
[tls_cert=<file>]
             [tls_key=<file>]   [tls_cacert=<file>] 
[tls_cacertdir=<path>]
             [tls_reqcert=never|allow|try|demand]
             [tls_cipher_suite=<ciphers>] [tls_crlcheck=none|peer|all]
             Specify the use of TLS when a regular connection is 
initialized.
             The  StartTLS  extended  operation  will  be used unless the 
URI
             directive protocol scheme is ldaps://. In that case this 
keyword
             may  only  be set to "ldaps" and the StartTLS operation will 
not
             be used.  propagate issues the StartTLS operation  only  if 
the
             original connection did.  The try- prefix instructs the proxy 
to
             continue operations if the StartTLS operation failed; its use 
is
             not recommended.

My guess then is everything past that point is ignored, since you've 
provided invalid configuration data.

The attribute is also poorly named, as it may or may not have anything to 
do with startTLS.  More likely it should have just been called olcDbTLS

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>