[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5273) ldap.conf and TLS as a default

Full_Name: Douglas Klima
Version: 2.3.
OS: Linux
Submission from: (NULL) (

I was looking for a way to make TLS the default in
/etc/openldap/ldap.conf however it currently seems impossible. You can
specify LDAP over clear text and LDAP over SSL but you can't specify
LDAP over TLS (I'm talking about "start_tls"). It seems like ldaps:// is
deprecated in favor of ldap:// + TLS, which is why I'm trying to
configure this.

Currently my /etc/openldap/ldap.conf looks like:
BASE	dc=example,dc=com
URI	ldap://srv1.example.com	ldap://srv2.example.com
TLS_CACERTDIR	/etc/ssl/certs

If I do the following:
$ ldapsearch
ldap_bind: Confidentiality required (13)
	additional info: TLS confidentiality required

If I change URI to have "ldaps://srv1.example.com:389", then
$ ldapsearch
just hangs until it times out. Clearly it's not using start_tls.

Now if I change URI back to it's original setting and do:

$ ldapsearch -Z
# search result
search: 3
result: 0 Success

# numResponses: 54
# numEntries: 53

I get a successful lookup. I'm basically looking for a way to pass "-Z"
in /etc/openldap/ldap.conf and in .ldaprc

Initially I tried to send this to the OpenLDAP ML but was told by MacJobBz to
submit this to ITS.